Windows Analysis Report
buNtKcYHCa.exe

AV Detection

Source: 0.2.buNtKcYHCa.exe.2e18000.2.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["offybirhtdi.sbs", "ostracizez.sbs", "arenbootk.sbs", "mediavelk.sbs", "strikebripm.sbs", "definitib.sbs", "activedomest.sbs", "elaboretib.sbs"], "Build id": "tLYMe5--4"}

Source: buNtKcYHCa.exe

ReversingLabs: Detection: 23%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: offybirhtdi.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: activedomest.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: arenbootk.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mediavelk.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: definitib.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: elaboretib.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: strikebripm.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ostracizez.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ostracizez.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tLYMe5--4

Compliance

Source: buNtKcYHCa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49759 version: TLS 1.2

Source: buNtKcYHCa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000106h]		3_2_032CDE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18E26AFFh]		3_2_032E3330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h		3_2_032E3330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h		3_2_032EC390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], F2EEECF6h		3_2_032ED3EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax		3_2_032ED3EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h		3_2_032C12D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+548844AEh]		3_2_03305120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4E2BFA43h]		3_2_03301100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax]		3_2_032EF1A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+4FFEBE6Ch]		3_2_032CD1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx		3_2_032CD1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h		3_2_032EC020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [edi+34h], 00000001h		3_2_032C9006
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 50DC24C7h		3_2_03306040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax		3_2_032E2090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [esi], cx		3_2_032D10D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h		3_2_032E5770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esi+20h]		3_2_032EA7E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax		3_2_032EC7DC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3E416E49h		3_2_03304640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 16194952h		3_2_03304640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h		3_2_032DC692
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [esi], cx		3_2_032DC692
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx		3_2_032E16C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx		3_2_032E15AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al		3_2_032F0417
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [03310498h]		3_2_032FD4B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h		3_2_032FD4B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], cl		3_2_032F1495
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h		3_2_033064F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edi		3_2_033054D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3602324Eh		3_2_03306B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebp, word ptr [eax]		3_2_03306B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx		3_2_032E3B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [eax]		3_2_032E3B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax		3_2_032E6B58
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edi]		3_2_03303A33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], dl		3_2_032EEAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]		3_2_032F9970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al		3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al		3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx+77CF5801h]		3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-000000A1h]		3_2_032ED9C5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edi		3_2_03305800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]		3_2_032C5850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx		3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3568C09Bh		3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], cx		3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+02h], 0000h		3_2_032E18B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]		3_2_032ECD09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 9ABDB589h		3_2_032E9FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al		3_2_032F0FFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx		3_2_032DCFDD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9ABDB589h		3_2_032EEE3D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]		3_2_032EDE60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], C0A4C970h		3_2_03306E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-27h]		3_2_032CFE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-27h]		3_2_032CFE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]		3_2_03303E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]		3_2_032ECD09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-411B9734h]		3_2_032E0D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx		3_2_032E0D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*4+000004A8h]		3_2_032CBC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp edx, 02h		3_2_032CBC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]		3_2_032ECC5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+4E2BFA47h]		3_2_032FFC90

Networking

Source: Network traffic	Suricata IDS: 2056850 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strikebripm .sbs) : 192.168.2.7:50115 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056841 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mediavelk .sbs) : 192.168.2.7:52069 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056844 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (definitib .sbs) : 192.168.2.7:49415 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056853 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ostracizez .sbs) : 192.168.2.7:53451 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056835 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (activedomest .sbs) : 192.168.2.7:51494 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056832 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offybirhtdi .sbs) : 192.168.2.7:59331 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056838 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arenbootk .sbs) : 192.168.2.7:63286 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056847 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elaboretib .sbs) : 192.168.2.7:49437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49759 -> 104.102.49.254:443

Source: Malware configuration extractor	URLs: offybirhtdi.sbs
Source: Malware configuration extractor	URLs: ostracizez.sbs
Source: Malware configuration extractor	URLs: arenbootk.sbs
Source: Malware configuration extractor	URLs: mediavelk.sbs
Source: Malware configuration extractor	URLs: strikebripm.sbs
Source: Malware configuration extractor	URLs: definitib.sbs
Source: Malware configuration extractor	URLs: activedomest.sbs
Source: Malware configuration extractor	URLs: elaboretib.sbs

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: BitLockerToGo.exe, 00000003.00000002.1488710149.0000000003664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb4a621662dea893af1b461ce15baa4ea; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=39815ef0c60c9a8065487d53; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 29 Oct 2024 13:17:31 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ostracizez.sbs
Source: global traffic	DNS traffic detected: DNS query: strikebripm.sbs
Source: global traffic	DNS traffic detected: DNS query: elaboretib.sbs
Source: global traffic	DNS traffic detected: DNS query: definitib.sbs
Source: global traffic	DNS traffic detected: DNS query: mediavelk.sbs
Source: global traffic	DNS traffic detected: DNS query: arenbootk.sbs
Source: global traffic	DNS traffic detected: DNS query: activedomest.sbs
Source: global traffic	DNS traffic detected: DNS query: offybirhtdi.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/publi
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: buNtKcYHCa.exe	String found in binary or memory: https://doi.org/GTB
Source: buNtKcYHCa.exe	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/strict-modetable
Source: buNtKcYHCa.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: buNtKcYHCa.exe	String found in binary or memory: https://liveinternet.club
Source: buNtKcYHCa.exe	String found in binary or memory: https://liveinternet.clubh
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000003.00000003.1486585764.000000000361E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487667734.000000000361E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/&&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.000000000361E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487667734.000000000361E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003634000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003634000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/x
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1486883970.0000000003664000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488710149.0000000003664000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb4a621662dea893
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49759 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032F6960 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_032F6960

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032F6960 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_032F6960

System Summary

Source: 00000000.00000002.1475000869.0000000003282000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1475000869.00000000030D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CF490		3_2_032CF490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CEE20		3_2_032CEE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C132D		3_2_032C132D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E3330		3_2_032E3330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EB30E		3_2_032EB30E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D0370		3_2_032D0370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9340		3_2_032E9340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032ED3EA		3_2_032ED3EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FC3E0		3_2_032FC3E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CD3F0		3_2_032CD3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D3227		3_2_032D3227
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C12D5		3_2_032C12D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03305120		3_2_03305120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CB130		3_2_032CB130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FC152		3_2_032FC152
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EF1A2		3_2_032EF1A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FC180		3_2_032FC180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033041C0		3_2_033041C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F41D4		3_2_032F41D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CA020		3_2_032CA020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EC020		3_2_032EC020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EB03C		3_2_032EB03C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C9006		3_2_032C9006
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C1000		3_2_032C1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C7040		3_2_032C7040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E60BA		3_2_032E60BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E2090		3_2_032E2090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D10D7		3_2_032D10D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D7736		3_2_032D7736
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C971D		3_2_032C971D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CD780		3_2_032CD780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EA7E2		3_2_032EA7E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03306600		3_2_03306600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DD667		3_2_032DD667
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03304640		3_2_03304640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D56C1		3_2_032D56C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F6520		3_2_032F6520
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CA500		3_2_032CA500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0330354C		3_2_0330354C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033005D0		3_2_033005D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F0417		3_2_032F0417
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C8460		3_2_032C8460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FD4B8		3_2_032FD4B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F1495		3_2_032F1495
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D6493		3_2_032D6493
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033054D0		3_2_033054D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EA4D0		3_2_032EA4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03306B70		3_2_03306B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FDB76		3_2_032FDB76
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E6B58		3_2_032E6B58
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CABC0		3_2_032CABC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C7A60		3_2_032C7A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DCAB0		3_2_032DCAB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C9A81		3_2_032C9A81
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FCAF0		3_2_032FCAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9ADE		3_2_032E9ADE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CE920		3_2_032CE920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FB91D		3_2_032FB91D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C99A9		3_2_032C99A9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F09A1		3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E29C0		3_2_032E29C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E59D0		3_2_032E59D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03305800		3_2_03305800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DF8A0		3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DE882		3_2_032DE882
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C38E0		3_2_032C38E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033068C0		3_2_033068C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C4FB0		3_2_032C4FB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9FE0		3_2_032E9FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F0FFE		3_2_032F0FFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EEE3D		3_2_032EEE3D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03306E50		3_2_03306E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CFE86		3_2_032CFE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9D3E		3_2_032E9D3E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EFD63		3_2_032EFD63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E0D60		3_2_032E0D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CBC40		3_2_032CBC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E2CE0		3_2_032E2CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FACD9		3_2_032FACD9

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 032DC670 appears 197 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 032CC830 appears 72 times

Source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs buNtKcYHCa.exe

Source: buNtKcYHCa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1475000869.0000000003282000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1475000869.00000000030D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@10/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032E5770 CoCreateInstance,

3_2_032E5770

Source: buNtKcYHCa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: buNtKcYHCa.exe

ReversingLabs: Detection: 23%

Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain
Source: buNtKcYHCa.exe	String found in binary or memory: $github.com/mmcloughlin/addchain/meta
Source: buNtKcYHCa.exe	String found in binary or memory: $*descriptor.FileOptions_OptimizeMode$*func(*gob.encEngine) *gob.encEngine$*map.bucket[reflect.Type]gob.gobType$github.com/mmcloughlin/addchain/meta%*map.bucket[interface {}]interface {}%*struct { F uintptr; X0 *sync.Mutex }%*func(pe.StringTable) (string, error)%*func(io.Writer, string) (int, error)
Source: buNtKcYHCa.exe	String found in binary or memory: &github.com/mmcloughlin/addchain/acc/ir
Source: buNtKcYHCa.exe	String found in binary or memory: 'github.com/mmcloughlin/addchain/acc/ast
Source: buNtKcYHCa.exe	String found in binary or memory: '*atomic.Pointer[encoding/gob.encEngine]'*struct { F uintptr; X0 *gob.typeInfo }'github.com/mmcloughlin/addchain/acc/ast(*map.bucket[string]mysql.DialContextFunc
Source: buNtKcYHCa.exe	String found in binary or memory: (github.com/mmcloughlin/addchain/acc/pass
Source: buNtKcYHCa.exe	String found in binary or memory: (*descriptor.GeneratedCodeInfo_Annotation(github.com/mmcloughlin/addchain/acc/pass(*struct { F uintptr; X0 int; X1 string })*func(interface {}) (driver.Value, error))*struct { F uintptr; R *mysql.mysqlConn }
Source: buNtKcYHCa.exe	String found in binary or memory: .github.com/mmcloughlin/addchain/internal/print
Source: buNtKcYHCa.exe	String found in binary or memory: .github.com/mmcloughlin/addchain/internal/print/*func([]uint8, []uint8, []uint8, []uint8) error
Source: buNtKcYHCa.exe	String found in binary or memory: Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchain
Source: buNtKcYHCa.exe	String found in binary or memory: Span>protobuf:"varint,2,rep,packed,name=span" json:"span,omitempty"Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchainC*struct { F uintptr; X0 *gob.encOp; X1 *gob.encOp; X2 int; X3 int }
Source: buNtKcYHCa.exe	String found in binary or memory: merge_operatormax_open_filesmem_table_sizebytes_per_syncmin_flush_rateGetSystemTimesfragment-startfragment-end %p: %02d/%02d
Source: buNtKcYHCa.exe	String found in binary or memory: gogoproto.protosizergogoproto.customtypegogoproto.customnamegogoproto.wktpointerinvalid map key typeJavaOuterClassname: PhpGenericServices: invalid nil Durationmmcloughlin/addchainBSD 3-Clause LicenseMorocco Standard TimeNamibia Standard TimeAlaskan Standard TimeCentral Standard TimePacific Standard TimeEastern Standard TimeSE Asia Standard TimeArabian Standard TimeMagadan Standard TimeMyanmar Standard TimeYakutsk Standard TimeBelarus Standard TimeRussian Standard TimeRomance Standard TimeSaratov Standard TimeNorfolk Standard Timeutf8mb4_lithuanian_ciutf8mb4_vietnamese_cicaching_sha2_passwordmysql_native_passwordinvalid dbname %q: %wunknown collation: %qunknown field type %dtrace/breakpoint trapuser defined signal 1user defined signal 2link has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleReadDirectoryChangesWNetGetJoinInformationreflect.Value.ComplexWSALookupServiceNextAWSALookupServiceNextWWSARemoveServiceClassWSCUnInstallNameSpaceWSCWriteProviderOrderWSAAsyncGetHostByAddrWSAAsyncGetHostByNameWSAAsyncGetServByPortWSAAsyncGetServByNameWSACancelAsyncRequestWSAUnhookBlockingHookWSACancelBlockingCallSafeArrayUnaccessDataSysAllocStringByteLenQueryPathOfRegTypeLibVARIANT_UserUnmarshalLPSAFEARRAY_UnmarshalSafeArrayCreateVectorOleCreateFontIndirectSami (Southern) (sma)Tajik (Cyrillic) (tg)Arabic Jordan (ar-JO)Arabic Kuwait (ar-KW)Arabic U.a.e. (ar-AE)Breton France (br-FR)Catalan Spain (ca-ES)Dutch Belgium (nl-BE)English India (en-IN)French Canada (fr-CA)French France (fr-FR)Fulah Nigeria (ff-NG)Hebrew Israel (he-IL)Irish Ireland (ga-IE)Italian Italy (it-IT)Kannada India (kn-IN)Maltese Malta (mt-MT)Marathi India (mr-IN)Polish Poland (pl-PL)Punjabi India (pa-IN)Quechua Peru (quz-PE)Sakha Russia (sah-RU)Spanish Chile (es-CL)Spanish Spain (es-ES)Syriac Syria (syr-SY)Thai Thailand (th-TH)Wolof Senegal (wo-SN)unsupported operationnegative shift amountconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = runtime: mappedReady=runtime: totalMapped=defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptioninvalid NumericStringx509: invalid versioninvalid scalar lengthlocalhost.localdomainkey is not comparableafter top-level valuein string escape code186264514923095703125931322574615478515625decompression failureunsupported extensionFloat.SetFloat64(NaN)set bit is not 0 or 1unknown ABI part kind of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintSignatureDoesNotMatchEC2ThrottledExceptionfeature not supportedhttp: invalid patternPrecondition RequiredInternal Server Erroruse of closed Encoderinput string too longhex number > 256 bitsVariabl
Source: buNtKcYHCa.exe	String found in binary or memory: no non-null argumentsstep must not be zeroinvalid end index: %sinvalid named captureJavaScriptDecodeValueDecimal128DecodeValueJSONNumberDecodeValueDecimal128EncodeValueJSONNumberEncodeValueJavaScriptEncodeValueno encoder found for no decoder found for ","subType":"%02x"}},bsoncore.Value.Doublebsoncore.Value.Binarybsoncore.Value.Symbolinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: write handler not setType.IsNil argument 1pebble: invalid batchinvalid key kind 0x%xunknown hint type: %d | top in read pebble_version=0.1
Source: buNtKcYHCa.exe	String found in binary or memory: bootstrap type already present: bytes.Buffer.Grow: negative countlocal file '%s' is not registeredcolumn count mismatch n:%d len:%dinvalid DATETIME packet length %dbytes.Reader.Seek: invalid whencecrypto/aes: output not full blocktoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert short slice passed to readGCStatsruntime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesscalar has high bit set illegallygo package net: confVal.netCgo = sql: connection is already closed142108547152020037174224853515625710542735760100185871124267578125tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangeFloat.GobDecode: buffer too smallreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length application/x-www-form-urlencodedhttp: multiple registrations for too large block number: bitlen %drlp: non-canonical integer formatcan't Reset derived EncoderBufferAttributeTypes on non-object Typeskip everything and stop the walkcannot serialize infinity as JSONextraneous data after JSON objecttoo many tuple elements (need %d)CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWwaiting for unsupported file typecrypto: requested hash function #encoding: missing byte order markindefinite length found (not DER)struct contains unexported fieldsGODEBUG: no value specified for "unaligned 64-bit atomic operationcrypto/des: output not full blocktoo many Answers to pack (>65535)more than one dot found in numberCount of all completed GC cycles.The stack size of new goroutines.attributes %q and %q are requiredThe prefix to remove, if present.The suffix to remove, if present.at least one argument is requiredfailed to marshal %#v as JSON:
Source: buNtKcYHCa.exe	String found in binary or memory: bootstrap type already present: bytes.Buffer.Grow: negative countlocal file '%s' is not registeredcolumn count mismatch n:%d len:%dinvalid DATETIME packet length %dbytes.Reader.Seek: invalid whencecrypto/aes: output not full blocktoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert short slice passed to readGCStatsruntime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesscalar has high bit set illegallygo package net: confVal.netCgo = sql: connection is already closed142108547152020037174224853515625710542735760100185871124267578125tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangeFloat.GobDecode: buffer too smallreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length application/x-www-form-urlencodedhttp: multiple registrations for too large block number: bitlen %drlp: non-canonical integer formatcan't Reset derived EncoderBufferAttributeTypes on non-object Typeskip everything and stop the walkcannot serialize infinity as JSONextraneous data after JSON objecttoo many tuple elements (need %d)CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWwaiting for unsupported file typecrypto: requested hash function #encoding: missing byte order markindefinite length found (not DER)struct contains unexported fieldsGODEBUG: no value specified for "unaligned 64-bit atomic operationcrypto/des: output not full blocktoo many Answers to pack (>65535)more than one dot found in numberCount of all completed GC cycles.The stack size of new goroutines.attributes %q and %q are requiredThe prefix to remove, if present.The suffix to remove, if present.at least one argument is requiredfailed to marshal %#v as JSON:
Source: buNtKcYHCa.exe	String found in binary or memory: pebble/table: %d: unknown merger %spebble: invalid call to virtualLast%d extra bits on block, should be 0can only encode up to 64K sequenceszero matchoff and matchlen (%d) > 0proto: internal error: bad wiretypeduration: %#v: seconds out of rangebad type for XXX_extensions field: protobuf tag field not an integer: cockroach.errorspb.EncodedErrorLeaftruncated input (or invalid offset)file %q has a name conflict over %vfound wrong type: got %v, want enumvarint,62022,opt,name=enum_stringervarint,63017,opt,name=marshaler_allgogoproto.goproto_enum_stringer_allvarint,64004,opt,name=verbose_equaldelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagegoogle.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{\A[_\pL][_\pL\p{Nd}]*(\.\.\.|\?)?\zTime.UnmarshalBinary: invalid lengthyear is not in the range [1, 9999]: bytes.Reader.Seek: negative positionlocale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: buNtKcYHCa.exe	String found in binary or memory: pebble/table: %d: unknown merger %spebble: invalid call to virtualLast%d extra bits on block, should be 0can only encode up to 64K sequenceszero matchoff and matchlen (%d) > 0proto: internal error: bad wiretypeduration: %#v: seconds out of rangebad type for XXX_extensions field: protobuf tag field not an integer: cockroach.errorspb.EncodedErrorLeaftruncated input (or invalid offset)file %q has a name conflict over %vfound wrong type: got %v, want enumvarint,62022,opt,name=enum_stringervarint,63017,opt,name=marshaler_allgogoproto.goproto_enum_stringer_allvarint,64004,opt,name=verbose_equaldelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagegoogle.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{\A[_\pL][_\pL\p{Nd}]*(\.\.\.|\?)?\zTime.UnmarshalBinary: invalid lengthyear is not in the range [1, 9999]: bytes.Reader.Seek: negative positionlocale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: buNtKcYHCa.exe	String found in binary or memory: runtime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=crypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functionx509: zero or negative DSA parameterx509: invalid CRL distribution pointx509: invalid subject key identifierx509: malformed algorithm identifiersyntax error scanning complex numberedwards25519: invalid point encodingname %q does not begin with a lettersql: converting argument %s type: %vconverting NULL to %s is unsupportedjson: encoding error for type %q: %q444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzexpected an ECDSA public key, got %Ttls: keys must have at least one keyunsupported SSLv2 handshake receivedtls: server did not send a key sharemultiplication of zero with infinityinvalid semicolon separator in querymethod ABI and value ABI don't alignreflect.Value.Equal: values of type http: no Location header in responsehttp: invalid byte %q in Cookie.Pathhttp://www.w3.org/XML/1998/namespacexml: end tag </%s> without start tagxml: %s chain not valid with %s flagrlp: type %v is not RLP-serializablecty.Capsule(%q, reflect.TypeOf(%#v))%d elements are required, but got %dunsupported value type %#v in Equalselement key for tuple must be numberIA5String contains invalid characterreflect: NumField of non-struct typeno assembly implementation availablecompressed name in SRV resource dataX-Amz-Server-Side-Encryption-Contextmalformed MIME header initial line: there are bytes left after unmarshalReturns the union of all given sets.argument must be list, tuple, or setthe given object has no attribute %qkeys list has null value at index %dcannot parse %q as a base %d integerend index must not be less than zeroinvalid pattern syntax (+ after -): chacha20: wrong HChaCha20 nonce sizecannot parse -Infinity as a *big.Int) inline map must have a string keystoo few bytes to read next componentmust set the output target only onceunknown problem parsing YAML contentdocument contains excessive aliasingdid not find expected <stream-start>did not find expected version numberL%d->L%d: %s already being compacted[JOB %d] sstable delete error %s: %sMemTables: %d (%s) zombie: %d (%s)
Source: buNtKcYHCa.exe	String found in binary or memory: unexpected block num %d, expected %dpebble: invalid end key for span: %sNumber of heap bytes released to OS.error while unmarshalling error: %+vinvalid input: magic number mismatchcompressed block size too large (%d)corruption detected (total %d != %d)total mismatch %d (got) != %d (want)proto: tag has unknown wire type: %qbad pointer or slice in map case in proto: textWriter unindented too farstdtime is not time.Duration, but %Tany: message type %q isn't linked infunc(v %v) *%v { return &v } ( %#v )google/protobuf/source_context.protocompare: unexpected type %T in oneofcannot merge into invalid %v messagebytes,62023,opt,name=enum_customnamegogoproto.goproto_extensions_map_allvarint,63028,opt,name=protosizer_allinvalid hex escape code %q in string%v: MessageSet with no unknown fieldgoogle.protobuf.FieldDescriptorProtogoogle.protobuf.OneofDescriptorProto&descriptor.SourceCodeInfo_Location{duration (%v) has out-of-range nanostimezone hour outside of range [0,23]could not use requested auth plugin 'invalid value / unknown config name: invalid value for TLS config name: %vnon-Value type %T returned from Valuecipher: message authentication failedcrypto/cipher: invalid buffer overlapcrypto/cipher: incorrect GCM tag sizebytes.Buffer: truncation out of rangecannot exec a shared library directlyvalue too large for defined data typetoo many symbols; file may be corruptFrench Principality Of Monaco (fr-MC)Inuktitut (Latin) Canada (iu-Latn-CA)Mongolian (Cyrillic) Mongolia (mn-MN)Uzbek (Latin) Uzbekistan (uz-Latn-UZ)Yi People's Republic Of China (ii-CN)` VirtualAddress is beyond 0x10000000runtime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!crypto/rsa: public exponent too smallcrypto/rsa: public exponent too largecrypto: Size of unknown hash functioncrypto/rsa: unsupported hash functionbigmod: internal error: shrinking natx509: malformed extension value fieldx509: RSA key missing NULL parametersx509: invalid CRL distribution pointscrypto/ecdh: invalid private key sizecannot create context from nil parentsql: Scan called without calling Next2220446049250313080847263336181640625tls: unsupported certificate key (%T)tls: failed to verify certificate: %sreflect: Bits of non-arithmetic Type reflect: NumField of non-struct type reflect: IsVariadic of non-func type reflect: funcLayout of non-func type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-byte arrayreflect.Value.Bytes of non-rune slicemethod ABI and value ABI do not alignreflect.Value.Convert: value of type http: invalid byte %q in Cookie.Value^(us|eu|ap|sa|ca|me|af|il)\-\w+\-\d+$xml: bad type for comment field of %sinvalid sequence <!- not part of <!--too large block difficulty: b
Source: buNtKcYHCa.exe	String found in binary or memory: disk slowness detected: %s on file %s has been ongoing for %0.1fsDesc{fqName: %q, help: %q, constLabels: {%s}, variableLabels: %v}error %+v (%T) announces proto message, but marshaling fails: %+verrors.As: *target must be interface or implement error, found %Tunexpected literal count, want %d bytes, but only %d is availableunable to query buffer size from InitializeProcThreadAttributeListlast data directory entry is a reserved field, must be set to zerox509: certificate is not valid for any names, but wanted to match x509: requested SignatureAlgorithm does not match private key typetls: certificate private key (%T) does not implement crypto.Signerclient doesn't support ECDHE, can only use legacy RSA key exchangetls: server sent an unexpected quic_transport_parameters extensionreflect: indirection through nil pointer to embedded struct field 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0xd4e56740f876aef8c010b86a40d5f56745a118d0906a34e69aec8c0db1cb8fa30xb5f7f912443c940f21fd611f12828d75b534364ed9e95ca4e307729a4661bde40x25a5cc106eea7138acab33231d7160d69cb777ee0c2c553fcddf5138993e6dd9pkcs7: signing time %q is outside of certificate validity %q to %qCumulative sum of memory allocated to the heap by the application.not a valid RFC3339 timestamp: minute must have exactly two digitsnot enough arguments for %q at %d: need index %d but have %d totaldocument end byte found before end of document. remaining bytes=%vinternal error: attempted to parse unknown event (please report): Cannot use WithApproximateSpanBytes without WithProperties option.ingest-time split produced a file that overlaps with ingested filepebble: tried to transition an eventually-file-only-snapshot twicepebble: internal error: file L%d.%s obsolete during B-Tree removalNumber of heap bytes when next garbage collection will take place.internal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)Descriptor.Options called without importing the descriptor packageinvalid DSN: network address not terminated (missing closing brace)tls: server sent certificate containing RSA key larger than %d bitsMemory that is used by the stack trace hash map used for profiling.returned value %#v does not conform to expected return type %#v: %sReturns true if the two given values are equal, or false otherwise.Returns false if the two given values are equal, or true otherwise.not a valid RFC3339 timestamp: missing required time introducer 'T'SliceDecodeValue can only decode a binary into a byte array, got %vSliceDecodeValue can only decode a string into a byte array, got %vOnlyReadGuaranteedDurable is not supported for batches or snapshotspebble: shared file outside of excise span, span [%s-%s), file = %spebble: comparer name from file %q != comparer name from options %qfile %s chosen as seed file for compaction should not be compactingL0 files %s and %s are not properly ordered: <#%d-#%d> vs <#%d-#%d>pebble: range keys must be added via one of the RangeKey* functionspebble: range keys s
Source: buNtKcYHCa.exe	String found in binary or memory: Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.You have encountered an unexpected error.
Source: buNtKcYHCa.exe	String found in binary or memory: Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.You have encountered an unexpected error.
Source: buNtKcYHCa.exe	String found in binary or memory: Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes.Stack memory allocated by the underlying operating system. In non-cgo programs this metric is currently zero. This may change in the future.In cgo programs this metric includes OS thread stacks allocated directly from the OS. Currently, this only accounts for one stack in c-shared and c-archive build modes, and other sources of stacks from the OS are not measured. This too may change in the future.Estimated total CPU time spent with the application paused by the GC. Even if only one thread is running during the pause, this is computed as GOMAXPROCS times the pause latency because nothing else can be executing. This is the exact sum of samples in /sched/pauses/total/gc:seconds if each sample is multiplied by GOMAXPROCS at the time it is taken. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.TokenNilTokenNewlineTokenBangTokenPercentTokenBitwiseAndTokenApostropheTokenOParenTokenCParenTokenStarTokenPlusTokenCommaTokenMinusTokenDotTokenSlashTokenColonTokenSemicolonTokenLessThanTokenEqualTokenGreaterThanTokenQuestionTokenCommentTokenOHeredocTokenIdentTokenNumberLitTokenQuotedLitTokenStri
Source: buNtKcYHCa.exe	String found in binary or memory: Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes.Stack memory allocated by the underlying operating system. In non-cgo programs this metric is currently zero. This may change in the future.In cgo programs this metric includes OS thread stacks allocated directly from the OS. Currently, this only accounts for one stack in c-shared and c-archive build modes, and other sources of stacks from the OS are not measured. This too may change in the future.Estimated total CPU time spent with the application paused by the GC. Even if only one thread is running during the pause, this is computed as GOMAXPROCS times the pause latency because nothing else can be executing. This is the exact sum of samples in /sched/pauses/total/gc:seconds if each sample is multiplied by GOMAXPROCS at the time it is taken. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.TokenNilTokenNewlineTokenBangTokenPercentTokenBitwiseAndTokenApostropheTokenOParenTokenCParenTokenStarTokenPlusTokenCommaTokenMinusTokenDotTokenSlashTokenColonTokenSemicolonTokenLessThanTokenEqualTokenGreaterThanTokenQuestionTokenCommentTokenOHeredocTokenIdentTokenNumberLitTokenQuotedLitTokenStri
Source: buNtKcYHCa.exe	String found in binary or memory: depgithub.com/mmcloughlin/addchainv0.4.0h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY=
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Equal
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.EqualInt64
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Pow2
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.One
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Mask
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Ones
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Contains
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Index
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).AppendClone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.End
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Ops
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Op
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Program
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Zero
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Validate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Produces
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Superset
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.IsAscending
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Op.IsDouble
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Op.Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Op.Uses
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Shift
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Double
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Add
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.boundscheck
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Doubles
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Count
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Adds
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Evaluate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.New
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.ReadCounts
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Dependencies
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).End
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).IsAscending
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Op
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Ops
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Produces
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Program
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Superset
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Validate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).IsDouble
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Uses
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Adds
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Count
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Dependencies
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Doubles
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Evaluate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).ReadCounts
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).AddInstruction
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Output
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.String
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Operand
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Output
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).String
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Instruction
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.AssertionFailure
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Linef
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).NL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Printf
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).SetError
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.NewTabWriter
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.New
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.Printer
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.TabWriter
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.Identifier.Precedence
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.(*Identifier).Precedence
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ast.Statement
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryValues
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameOperands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryRuns
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.NameOperands.func4
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.func2
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.NameOperands.func3
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.func1
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Compile
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.UnexpectedType
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Eval
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Func.Execute
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Concat
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec.Concat.func1
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.CanonicalizeOperands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.(*Func).Execute
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigvector.init
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.init
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).CheckCitable
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).IsRelease
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTime
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Title
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func2
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func1
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).RepositoryURL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Module
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).DOIURL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.doiurl
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*TabWriter).Flush
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Error
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Citation
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTag
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseURL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ConceptDOIURL
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/meta.Properties
Source: buNtKcYHCa.exe	String found in binary or memory: net/addrselect.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigint/bigint.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigints/bigints.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/chain.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/program.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ir/ir.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/errutil/errutil.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/print/printer.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ast/ast.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/naming.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/eval.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/pass.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigvector/bigvector.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/meta.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/cite.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/decred/dcrd/dcrec/secp256k1/v4@v4.0.1/loadprecomputed.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

File read: C:\Users\user\Desktop\buNtKcYHCa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\buNtKcYHCa.exe "C:\Users\user\Desktop\buNtKcYHCa.exe"
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"			Jump to behavior

Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll			Jump to behavior

Source: buNtKcYHCa.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: buNtKcYHCa.exe

Static file information: File size 20195328 > 1048576

Source: buNtKcYHCa.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x8f5600
Source: buNtKcYHCa.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x966400

Source: buNtKcYHCa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: buNtKcYHCa.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032DB928 pushad ; ret

3_2_032DB929

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3232	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3284	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>V
Source: BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: buNtKcYHCa.exe, 00000000.00000002.1471400938.000000000266C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_03302710 LdrInitializeThunk,

3_2_03302710

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C0000 protect: page execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C0000 value starts with: 4D5A

Jump to behavior

Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: offybirhtdi.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: activedomest.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: arenbootk.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mediavelk.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: definitib.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: elaboretib.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: strikebripm.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ostracizez.sbs

Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 300D008			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C0000			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C1000			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3308000			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 330B000			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 331B000			Jump to behavior

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Users\user\Desktop\buNtKcYHCa.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.BitLockerToGo.exe.32c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1472271900.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.BitLockerToGo.exe.32c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1472271900.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY