Edit tour

Windows Analysis Report
MXpl6HFisn.exe

Overview

General Information

Sample name:	MXpl6HFisn.exe renamed because original name is a hash value
Original sample name:	0aadbca2d0a26b8f90fd4f31cb7f2ffc.exe
Analysis ID:	1417443
MD5:	0aadbca2d0a26b8f90fd4f31cb7f2ffc
SHA1:	57246459c3890dfcd49fb792cc55a45e3bd6c48e
SHA256:	4bee7d558a5346bffa5cc2393b579bd8abbdd6beef0ede8e71aeae10dd5ff207
Tags:	exeRiseProStealer
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Allocates memory in foreign processes

Contains functionality to inject threads in other processes

Creates autostart registry keys with suspicious names

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

MXpl6HFisn.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\MXpl6HFisn.exe" MD5: 0AADBCA2D0A26B8F90FD4F31CB7F2FFC)

BitLockerToGo.exe (PID: 2004 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe (PID: 2032 cmdline: "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe" MD5: 0AADBCA2D0A26B8F90FD4F31CB7F2FFC)

BitLockerToGo.exe (PID: 6884 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe (PID: 4904 cmdline: "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe" MD5: 0AADBCA2D0A26B8F90FD4F31CB7F2FFC)

BitLockerToGo.exe (PID: 5500 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.1836476956.0000000005203000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.1769068121.000000C0026F0000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000001.00000002.1871116463.000000C002598000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000004.00000002.1962242072.000000C0025AA000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000004.00000002.1959576006.000000C0006B2000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe" , CommandLine: "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, NewProcessName: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, OriginalFileName: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe" , ProcessId: 2032, ProcessName: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MXpl6HFisn.exe, ProcessId: 6880, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MXpl6HFisn.exe, ProcessId: 6880, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 95.216.41.236 - Destination IP: 192.168.2.4

Timestamp:	03/29/24-09:52:15.811203
SID:	2046266
Source Port:	50500
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 95.216.41.236

Timestamp:	03/29/24-09:52:21.606984
SID:	2046269
Source Port:	49730
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 95.216.41.236 - Destination IP: 192.168.2.4

Timestamp:	03/29/24-09:52:16.065250
SID:	2046267
Source Port:	50500
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 95.216.41.236 - Destination IP: 192.168.2.4

Timestamp:	03/29/24-09:52:25.278346
SID:	2046266
Source Port:	50500
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 95.216.41.236 - Destination IP: 192.168.2.4

Timestamp:	03/29/24-09:52:33.605110
SID:	2046266
Source Port:	50500
Destination Port:	49743
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 95.216.41.236 - Destination IP: 192.168.2.4

Timestamp:	03/29/24-09:52:25.741725
SID:	2046266
Source Port:	50500
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 95.216.41.236

Timestamp:	03/29/24-09:52:15.776952
SID:	2049060
Source Port:	49730
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro CnC Activity (Outbound) - Source IP: 95.216.41.236 - Destination IP: 192.168.2.4

Timestamp:	03/29/24-09:52:23.971378
SID:	2049660
Source Port:	50500
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	ReversingLabs: Detection: 42%
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Virustotal: Detection: 47%			Perma Link

Multi AV Scanner detection for submitted file

Source: MXpl6HFisn.exe	Virustotal: Detection: 36%			Perma Link
Source: MXpl6HFisn.exe	ReversingLabs: Detection: 42%

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A20380 RegQueryValueExA,RegCloseKey,CryptUnprotectData,CryptUnprotectData,LocalFree,

2_2_02A20380

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: MXpl6HFisn.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3E200 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	2_2_02A3E200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADC3BA FindClose,FindFirstFileExW,GetLastError,	2_2_02ADC3BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A0E0B0 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	2_2_02A0E0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A0A6B0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	2_2_02A0A6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A20CC3 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	2_2_02A20CC3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADC440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	2_2_02ADC440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3FD60 FindFirstFileA,	2_2_02A3FD60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0508A17B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	2_2_0508A17B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050590F0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,CopyFileA,FindNextFileA,FindClose,GetLastError,	2_2_050590F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05059990 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,	2_2_05059990

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 95.216.41.236:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 95.216.41.236:50500 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 95.216.41.236:50500
Source: Traffic	Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 95.216.41.236:50500 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49739
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49740
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49743

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 95.216.41.236:50500

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown	TCP traffic detected without corresponding DNS query: 95.216.41.236

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A1F5F0 recv,__Mtx_unlock,

2_2_02A1F5F0

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920173465.00000000026B0000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999600227.0000000002EA0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/-
Source: BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/s
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MXpl6HFisn.exe, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe.0.dr	String found in binary or memory: https://golang.org/doc/faq#nil_errortls:
Source: BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/O
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/R
Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920173465.00000000026B0000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999600227.0000000002EA0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/t
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43o
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43
Source: BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43:
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43P$
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: BitLockerToGo.exe, 00000002.00000003.1826342628.0000000004F64000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828530915.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000002.00000003.1826342628.0000000004F64000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828530915.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.V
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTR
Source: BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000329B000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.2.dr	String found in binary or memory: https://t.me/risepro_bot
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botbackup
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_botc
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisep
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bott
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: BitLockerToGo.exe, 00000002.00000003.1829264822.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1826241376.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828447229.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827672274.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829573161.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830796791.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830547597.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829150612.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829776196.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: BitLockerToGo.exe, 00000002.00000003.1829264822.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1826241376.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828447229.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827672274.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829573161.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830796791.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830547597.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829150612.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829776196.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A0AE90 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

2_2_02A0AE90

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_05061510 __aulldiv,__aulldiv,__aulldiv,send,__aulldiv,__aulldiv,__aulldiv,send,ExitProcess,__aulldiv,__aulldiv,__aulldiv,send,__aulldiv,__aulldiv,__aulldiv,send,CreateThread,CloseHandle,lstrcatA,lstrcatA,CreateProcessA,lstrcatA,CreateProcessA,Sleep,SetThreadDesktop,OpenDesktopA,EnumDesktopWindows,CloseDesktop,CreateDesktopA,SetThreadDesktop,PostMessageA,PostMessageA,PostMessageA,WindowFromPoint,FindWindowA,GetWindowRect,PtInRect,PostMessageA,RealGetWindowClassA,lstrcmpA,SendMessageA,MenuItemFromPoint,GetMenuItemID,PostMessageA,PostMessageA,WindowFromPoint,SendMessageA,GetWindowLongA,SetWindowLongA,SendMessageA,PostMessageA,PostMessageA,GetWindowPlacement,PostMessageA,PostMessageA,WindowFromPoint,WindowFromPoint,WindowFromPoint,SendMessageA,GetWindowRect,MoveWindow,ScreenToClient,ChildWindowFromPoint,RealGetWindowClassA,RealGetWindowClassA,PostMessageA,PostMessageA,lstrcatA,lstrcatA,CreateProcessA,CreateProcessA,CreateProcessA,PostMessageA,GetCurrentThreadId,GetThreadDesktop,CreateThread,CloseHandle,send,shutdown,closesocket,

2_2_05061510

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1769068121.000000C0026F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000001.00000002.1871116463.000000C002598000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000004.00000002.1962242072.000000C0025AA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000004.00000002.1959576006.000000C0006B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0505A360 CreateProcessAsUserA,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess,

2_2_0505A360

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3E200	2_2_02A3E200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8E240	2_2_02A8E240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A2C3B0	2_2_02A2C3B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A0E0B0	2_2_02A0E0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A561A0	2_2_02A561A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A287E0	2_2_02A287E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3C720	2_2_02A3C720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ACC4A0	2_2_02ACC4A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A60400	2_2_02A60400
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AEA58E	2_2_02AEA58E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A24A10	2_2_02A24A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A6286B	2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A2E9A0	2_2_02A2E9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3C9B0	2_2_02A3C9B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A38930	2_2_02A38930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8CEC0	2_2_02A8CEC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A42E70	2_2_02A42E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A2AD70	2_2_02A2AD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A23270	2_2_02A23270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3B3B0	2_2_02A3B3B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8D340	2_2_02A8D340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A43090	2_2_02A43090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A5B160	2_2_02A5B160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A41150	2_2_02A41150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A357D0	2_2_02A357D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A37710	2_2_02A37710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A49480	2_2_02A49480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A5D4C0	2_2_02A5D4C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8D5A0	2_2_02A8D5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A55B20	2_2_02A55B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADB830	2_2_02ADB830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3D840	2_2_02A3D840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A31E10	2_2_02A31E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A57E70	2_2_02A57E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A25D70	2_2_02A25D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A882B0	2_2_02A882B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ACE220	2_2_02ACE220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AF8244	2_2_02AF8244
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A44387	2_2_02A44387
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8E030	2_2_02A8E030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A28069	2_2_02A28069
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A2E048	2_2_02A2E048
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A1A1F0	2_2_02A1A1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A46160	2_2_02A46160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A2E169	2_2_02A2E169
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A5E697	2_2_02A5E697
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ABC690	2_2_02ABC690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A58609	2_2_02A58609
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8A780	2_2_02A8A780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A58769	2_2_02A58769
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A024F0	2_2_02A024F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A5C4C9	2_2_02A5C4C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AA4411	2_2_02AA4411
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A165E9	2_2_02A165E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A4C550	2_2_02A4C550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A84550	2_2_02A84550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AB6550	2_2_02AB6550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A88A6B	2_2_02A88A6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A18BB8	2_2_02A18BB8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A32B99	2_2_02A32B99
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A38BC7	2_2_02A38BC7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8CB70	2_2_02A8CB70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AEA8D0	2_2_02AEA8D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A4A830	2_2_02A4A830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A90860	2_2_02A90860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A829B0	2_2_02A829B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AE4E88	2_2_02AE4E88
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AE6EC0	2_2_02AE6EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A94E00	2_2_02A94E00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A58E18	2_2_02A58E18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A84F80	2_2_02A84F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A9AF20	2_2_02A9AF20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A952F0	2_2_02A952F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A41208	2_2_02A41208
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8F261	2_2_02A8F261
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AD5390	2_2_02AD5390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AD1370	2_2_02AD1370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A2B029	2_2_02A2B029
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A87040	2_2_02A87040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A91040	2_2_02A91040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A4F1B0	2_2_02A4F1B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A191B9	2_2_02A191B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A331C6	2_2_02A331C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A31110	2_2_02A31110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A596F9	2_2_02A596F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A5D628	2_2_02A5D628
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A85630	2_2_02A85630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A91720	2_2_02A91720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AE1700	2_2_02AE1700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A4B498	2_2_02A4B498
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3B5F9	2_2_02A3B5F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A23A68	2_2_02A23A68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A9BBD0	2_2_02A9BBD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AD3B20	2_2_02AD3B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A87B10	2_2_02A87B10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A4B869	2_2_02A4B869
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A59999	2_2_02A59999
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A5F928	2_2_02A5F928
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A15970	2_2_02A15970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A37977	2_2_02A37977
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A83FE0	2_2_02A83FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A9FCA0	2_2_02A9FCA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A83C70	2_2_02A83C70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A8DD90	2_2_02A8DD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AF9DD9	2_2_02AF9DD9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A17D20	2_2_02A17D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05061510	2_2_05061510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05058040	2_2_05058040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0507A340	2_2_0507A340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05079C00	2_2_05079C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0506EE70	2_2_0506EE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05057820	2_2_05057820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0505D460	2_2_0505D460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05076470	2_2_05076470
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0505E490	2_2_0505E490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050A34F9	2_2_050A34F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050717E0	2_2_050717E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050747F0	2_2_050747F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0505A640	2_2_0505A640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05095070	2_2_05095070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05054360	2_2_05054360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05099380	2_2_05099380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050953CF	2_2_050953CF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0508ED00	2_2_0508ED00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05094D2E	2_2_05094D2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050A2D60	2_2_050A2D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05072F50	2_2_05072F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0505FE40	2_2_0505FE40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0505D8E0	2_2_0505D8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050A8BEB	2_2_050A8BEB

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0508D5E0 appears 54 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02ADE8F0 appears 53 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02A90E80 appears 84 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02A6CE60 appears 41 times

Source: MXpl6HFisn.exe	Static PE information: Number of sections : 12 > 10
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe.0.dr	Static PE information: Number of sections : 12 > 10

Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7DA6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1781559884.00007FF6A6BF5000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002D65000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000000.1709669640.00007FF7B8D95000.00000008.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C0016F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DEE6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000000.1793682334.00007FF7B8D95000.00000008.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1964029089.000000C004035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: 00000000.00000002.1769068121.000000C0026F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000001.00000002.1871116463.000000C002598000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000004.00000002.1962242072.000000C0025AA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000004.00000002.1959576006.000000C0006B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/24@2/3

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A93220 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

2_2_02A93220

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A92B40 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

2_2_02A92B40

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A0C390 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

2_2_02A0C390

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A46160 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,

2_2_02A46160

Source: C:\Users\user\Desktop\MXpl6HFisn.exe

File created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd120

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK

Jump to behavior

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	File opened: C:\Windows\system32\d0302a26f0ed28ccdce81572cf8cd1028c63f048c9335d664d9761c42b5dbf6dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	File opened: C:\Windows\system32\c86af2d723e0710b7134d6e4af68ef7880000ae7d68cad633f8174379f7214bdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	File opened: C:\Windows\system32\346283a18873cd58eabb7a2be2ff6e75f220f81c682fdbe77aa33085aeebe489AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior

Source: MXpl6HFisn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\MXpl6HFisn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: TEtREnT7JaI7Login Data.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MXpl6HFisn.exe	Virustotal: Detection: 36%
Source: MXpl6HFisn.exe	ReversingLabs: Detection: 42%

Source: MXpl6HFisn.exe	String found in binary or memory: google.golang.org/grpc@v1.62.0/internal/balancerload/load.go
Source: MXpl6HFisn.exe	String found in binary or memory: 500SNM8/WJmTlrtHo5fYJoHAvTJniG9TIJ1Fw6jJhVqKsGbb3KDvsivuRJuU0G5/Kn29bDvMRPWe2E9JA3Rrl9unCFzyjY445kDPy5McSufgeoG/0eeoEM0zzlb/AdDvZrLsrCaqu563nil/gAG/5N2taU+7piS3McYaVGKV8XjA28tOGwEXzehTy5NYTAbjqExFVROPKb257a3WdjE/gVSZM+Z4VXviN4bqgsvJpNkcaZxYoUc0tr4/PG/DUHBsP3P/
Source: MXpl6HFisn.exe	String found in binary or memory: net/addrselect.go
Source: MXpl6HFisn.exe	String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	String found in binary or memory: google.golang.org/grpc@v1.62.0/internal/balancerload/load.go
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	String found in binary or memory: 500SNM8/WJmTlrtHo5fYJoHAvTJniG9TIJ1Fw6jJhVqKsGbb3KDvsivuRJuU0G5/Kn29bDvMRPWe2E9JA3Rrl9unCFzyjY445kDPy5McSufgeoG/0eeoEM0zzlb/AdDvZrLsrCaqu563nil/gAG/5N2taU+7piS3McYaVGKV8XjA28tOGwEXzehTy5NYTAbjqExFVROPKb257a3WdjE/gVSZM+Z4VXviN4bqgsvJpNkcaZxYoUc0tr4/PG/DUHBsP3P/
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	String found in binary or memory: net/addrselect.go
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: BitLockerToGo.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MXpl6HFisn.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc= pcruntime: ggoroutine RIPEMD-160ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtra.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOT for type pick_firstChannel %s:authoritygrpc.Recv.grpc.Sent."INTERNAL"OutOfRangeConnectionlocal-addrRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-aliveconnectionequivalentHost: %s
Source: MXpl6HFisn.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: internal error.in-addr.arpa. mode: /log/filter.go/log/helper.godata truncated

Source: C:\Users\user\Desktop\MXpl6HFisn.exe

File read: C:\Users\user\Desktop\MXpl6HFisn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MXpl6HFisn.exe "C:\Users\user\Desktop\MXpl6HFisn.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe"
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: unknown	Process created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe"
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MXpl6HFisn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: MXpl6HFisn.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: MXpl6HFisn.exe

Static file information: File size 21056512 > 1048576

Source: MXpl6HFisn.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6cbc00
Source: MXpl6HFisn.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xc7ba00

Source: MXpl6HFisn.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A3C720 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

2_2_02A3C720

Source: MXpl6HFisn.exe	Static PE information: section name: .xdata
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe.0.dr	Static PE information: section name: .xdata

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADE4BA push ecx; ret	2_2_02ADE4CD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0508D06F push ecx; ret	2_2_0508D082
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050B3225 push esi; ret	2_2_050B322E

Source: C:\Users\user\Desktop\MXpl6HFisn.exe

File created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\MXpl6HFisn.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

Jump to behavior

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe			Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A829B0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_02A829B0

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_2-161722

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_2-163665

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

2_2_02A62460

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Window / User API: threadDelayed 1595	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Window / User API: threadDelayed 1139	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Window / User API: threadDelayed 6510	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6460	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3804	Thread sleep time: -543000s >= -30000s	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6460	Thread sleep time: -1595000s >= -30000s	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3804	Thread sleep time: -3417000s >= -30000s	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6460	Thread sleep time: -6510000s >= -30000s	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6880	Thread sleep count: 75 > 30	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A66760 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 02A66770h country: Upper Sorbian (hsb)

2_2_02A66760

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A930A0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 02A930F1h

2_2_02A930A0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3E200 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	2_2_02A3E200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADC3BA FindClose,FindFirstFileExW,GetLastError,	2_2_02ADC3BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A0E0B0 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	2_2_02A0E0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A0A6B0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	2_2_02A0A6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A20CC3 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	2_2_02A20CC3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADC440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	2_2_02ADC440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3FD60 FindFirstFileA,	2_2_02A3FD60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0508A17B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	2_2_0508A17B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050590F0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,CopyFileA,FindNextFileA,FindClose,GetLastError,	2_2_050590F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_05059990 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,	2_2_05059990

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

2_2_02A0C390

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: BitLockerToGo.exe, 00000002.00000003.3882145503.0000000004F7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]]
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: BitLockerToGo.exe, 00000002.00000003.1791900220.0000000002BF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
Source: BitLockerToGo.exe, 00000002.00000003.1831701071.0000000004F6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}&%
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\
Source: BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y
Source: BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003242000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003242000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003208000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}et
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb
Source: BitLockerToGo.exe, 00000008.00000003.1969479982.0000000003219000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MXpl6HFisn.exe, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Binary or memory string: LAZ8i9NlUZ0lSPkzdHAg7kjRjkCnkH5aScnzZ0FLRc1HCl8Q+efVI91gv9Deb3GTYAJfB+FhRxsT7Jv//u2UkAKVUPsvpvijNnwUsTR98GVFC1yLAH9dfaCHlTb3Z3ZkP27Czki7TkW5TKALHxSHcPnVQvYyW/LygsnXcy92ZHGfShugzWK0nNUime6ySx5bkL6GpCGdzyz0hMhyFXSQ5pp4MJFYvJ+rBld0DtOfszB0z2XEyXUmRSOb8J/vYPKh/xrs
Source: BitLockerToGo.exe, 00000002.00000003.3882165826.0000000002C84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}exe [2424]
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002B96000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!
Source: MXpl6HFisn.exe, 00000000.00000002.1778270791.0000023CC2374000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1873704360.000001E65847C000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1965180617.000002773172F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7D9421B6M
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7D9421B6
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: BitLockerToGo.exe, 00000005.00000003.1890881232.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b
Source: BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ntEK\History\Firefox_fqs92o4p.default-release.txtl
Source: BitLockerToGo.exe, 00000005.00000003.1890881232.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91e
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Binary or memory string: fDvj1yreL7RfHuqV3C2PUy8owhmOA+mCYLiETYIkDcTHBTrmX+wpLezG9YdaDHr5cGnuEo5uEiXCaky47RoK/bChyJEW8jCuhk0aFdyQMUoc5jMY9pXAd5S+9cgnKo0TT1IMuNG02lx46KKqpDU5dsQWx9sExIa7NSHGDDbBP93PLYhRsNMkCBklZVvmCi+FdsT8bWRGD9u3K8O6qmB6HAcWy5V6iF6kPQBBtPN7IxxvZanQWddbsZJJFtVb0Kepu3SW
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz8_x
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ntEKn(
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A143F0 IsDebuggerPresent,IsProcessorFeaturePresent,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegCloseKey,GetComputerNameA,

2_2_02A143F0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A62F97 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,shutdown,closesocket,WSACleanup,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,

2_2_02A62F97

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A3C720 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

2_2_02A3C720

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h]	2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62460 mov eax, dword ptr fs:[00000030h]	2_2_02A62460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62460 mov eax, dword ptr fs:[00000030h]	2_2_02A62460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h]	2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h]	2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h]	2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h]	2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov ecx, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h]	2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A3D840 mov eax, dword ptr fs:[00000030h]	2_2_02A3D840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h]	2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A141E0 mov eax, dword ptr fs:[00000030h]	2_2_02A141E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A641C3 mov eax, dword ptr fs:[00000030h]	2_2_02A641C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A64405 mov eax, dword ptr fs:[00000030h]	2_2_02A64405
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h]	2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h]	2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A14D29 mov eax, dword ptr fs:[00000030h]	2_2_02A14D29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A153F8 mov eax, dword ptr fs:[00000030h]	2_2_02A153F8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h]	2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A63058 mov eax, dword ptr fs:[00000030h]	2_2_02A63058
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A15718 mov eax, dword ptr fs:[00000030h]	2_2_02A15718
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h]	2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A638E8 mov eax, dword ptr fs:[00000030h]	2_2_02A638E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A15970 mov ecx, dword ptr fs:[00000030h]	2_2_02A15970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02A1FF70 mov eax, dword ptr fs:[00000030h]	2_2_02A1FF70

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A089A0 GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree,

2_2_02A089A0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADE6E4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_02ADE6E4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02ADEA8D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_02ADEA8D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_02AE2FC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_02AE2FC4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0508D469 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0508D469
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_050964F5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_050964F5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0508D756 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0508D756

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2EA0000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A19EB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

2_2_02A19EB0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2EA0000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29BD008	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26B0000	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29DA008	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2EA0000	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C4C008	Jump to behavior

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02ADE2E6 cpuid

2_2_02ADE2E6

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	2_2_02A0C390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoEx,FormatMessageA,	2_2_02ADC1B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_02AFE6DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_02AFEAF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_02AFEA6D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,	2_2_02AFE8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_02AFE987
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_02AFE9D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_02AFEE74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,	2_2_02AFEF7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,	2_2_02AFED4B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_02AFF050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_02AF596A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,	2_2_02AF5EED
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_050A841C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,	2_2_050A8117
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,	2_2_050A8346
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_050A8240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_050A7D53
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_050A7D51
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_050A7D9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,	2_2_0509BD97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoEx,FormatMessageA,	2_2_05089F98
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_050A7E39
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_050A7EC4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: EnumSystemLocalesW,	2_2_0509B82B

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Queries volume information: C:\Users\user\Desktop\MXpl6HFisn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Queries volume information: C:\Users\user\Desktop\MXpl6HFisn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

2_2_02A0C390

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

2_2_02A0C390

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

2_2_02A0C390

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_02A92B40 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

2_2_02A92B40

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000002.00000003.1836476956.0000000005203000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000002.00000003.1831664218.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: BitLockerToGo.exe, 00000002.00000003.1831664218.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: MXpl6HFisn.exe	String found in binary or memory: xLto3LGtv5CKXSSE5+nVIVaYPjAXXGgqV6cjexCM4VtMBfGvXcNh7/76oyR9jWbgZkloaUNL4OwebNCXz0RIHaVzY6vRG03qCgbw7IYhmoT4V5OP/xcFjPgrZNZB8YMIQdGec81HD/fLYV4cOYssg9TbUjN7/mEKRq1lKBntR05T5l4BXNuC3o/CAO6dFIgqDSiSrME85itPr1HsR8pMwsntWSCnOw9awPz9NljR+I3n3EcUKlAAB16Ge1MzHCgJVktU
Source: BitLockerToGo.exe, 00000002.00000003.1834309967.0000000004F6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000002.00000003.1834309967.0000000004F6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000002.00000003.1836476956.0000000005203000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	1 Valid Accounts	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Valid Accounts	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	411 Process Injection	1 Masquerading	NTDS	57 System Information Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 Valid Accounts	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	411 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MXpl6HFisn.exe	36%	Virustotal		Browse
MXpl6HFisn.exe	42%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	42%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe	47%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://t.p	0%	Avira URL Cloud	safe
https://t.V	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
db-ip.com	104.26.5.15	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=102.165.48.43	false		high
https://ipinfo.io/widget/demo/102.165.48.43	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/102.165.48.43:	BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://ipinfo.io/O	BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botrisep	BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/R	BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/	BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/102.165.48.43o	BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.p	BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920173465.00000000026B0000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999600227.0000000002EA0000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://golang.org/doc/faq#nil_errortls:	MXpl6HFisn.exe, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe.0.dr	false		high
https://ipinfo.io:443/widget/demo/102.165.48.43P$	BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/s	BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://db-ip.com/-	BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	BitLockerToGo.exe, 00000002.00000003.1826342628.0000000004F64000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828530915.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	BitLockerToGo.exe, 00000002.00000003.1826342628.0000000004F64000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828530915.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=102.165.48.43	BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://ipinfo.io/Mozilla/5.0	BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://t.me/risepro_bot	BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000329B000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.2.dr	false		high
https://t.V	BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTR	BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botbackup	BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.maxmind.com/en/locate-my-ip-address	BitLockerToGo.exe	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://ipinfo.io/s	BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/t	BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll	MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920173465.00000000026B0000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999600227.0000000002EA0000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/102.165.48.43	BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr	false		high
https://t.me/risepro_bott	BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botisepro_botc	BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
95.216.41.236	unknown	Germany	24940	HETZNER-ASDE	true
104.26.5.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417443
Start date and time:	2024-03-29 09:51:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MXpl6HFisn.exe renamed because original name is a hash value
Original Sample Name:	0aadbca2d0a26b8f90fd4f31cb7f2ffc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/24@2/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 69% Number of executed functions: 74 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, PID 2032 because there are no executed function
Execution Graph export aborted for target MXpl6HFisn.exe, PID 6880 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:51:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe
08:52:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe
09:52:18	API Interceptor	7436556x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
104.26.5.15	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse	api.db-ip.com/v2/free/127.0.0.1
	Nemty.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/84.17.52.2/countryName
	227.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/102.129.143.40/countryName

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	88Oj06xDol.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	jUlAlD6KHz.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Iv88OQbqpE.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://cloudflare-ipfs.com/ipfs/QmWogjL6GutGKbdVU2x417hXn56fpyEV8KCHFJUBJrcBaA/#hello@domain.com	Get hash	malicious	HTMLPhisher	Browse	34.117.186.192
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	34.117.186.192
db-ip.com	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	88Oj06xDol.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	104.26.5.15
	jUlAlD6KHz.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	Iv88OQbqpE.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	104.26.4.15
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	172.67.75.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	l2ZKczbGRq.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	88Oj06xDol.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://attwebupdate.w3spaces.com/	Get hash	malicious	Unknown	Browse	34.117.239.71
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	jUlAlD6KHz.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Iv88OQbqpE.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
HETZNER-ASDE	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	144.76.170.20
	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	JAJL2EYBPH.exe	Get hash	malicious	DCRat	Browse	138.201.79.103
	https://mnrdtfqrcyfqiou.s3.amazonaws.com/mnrdtfqrcyfqiou.html#4HHHnO7279bGJq492fumheqtoju1686NCUIKVMPNMDQVMT689230/736882Y21#qgow23ahs76jjbq8j26ouc8n3ucpjfst25g85oeaei03mafty5n389r	Get hash	malicious	HTMLPhisher	Browse	49.12.134.254
	cvdLNZXNPZ.elf	Get hash	malicious	Mirai	Browse	188.42.90.189
CLOUDFLARENETUS	https://airdrop-online-altlayer-anniversary.s3.us-east-2.amazonaws.com/posten.html?cid=freetomfr@hotmail.com	Get hash	malicious	Phisher	Browse	172.64.150.248
	7ITPeT3VWW.exe	Get hash	malicious	LummaC	Browse	104.21.38.98
	l2ZKczbGRq.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	104.26.4.15
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	TBC#01 Rev.A3 - lnexa.xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL_LHER000678175.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	inpau292101.js	Get hash	malicious	FormBook	Browse	172.67.215.45
	https://brilink.me/xD6ksa	Get hash	malicious	Unknown	Browse	104.21.37.172

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	7ITPeT3VWW.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	20qMFnd9tO.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	88Oj06xDol.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	104.26.5.15 34.117.186.192
	Zam#U00f3wienie_27900045542300.CMD.cmd	Get hash	malicious	DBatLoader, Remcos	Browse	104.26.5.15 34.117.186.192
	jUlAlD6KHz.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	Document 20240327_1188908_1188909.bat	Get hash	malicious	Remcos, DBatLoader	Browse	104.26.5.15 34.117.186.192

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

Download File

Process:	C:\Users\user\Desktop\MXpl6HFisn.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	21056512
Entropy (8bit):	5.476356034801967
Encrypted:	false
SSDEEP:	98304:rFrNAOGfsjEhnR91LLdASLKR7jjYLgIXW86sfr9rmp4QJEf3v5EzlNTDLjDvIy0:3G0jEhnlLLdAdjjY84NAEf3vaBNHjc
MD5:	0AADBCA2D0A26B8F90FD4F31CB7F2FFC
SHA1:	57246459C3890DFCD49FB792CC55A45E3BD6C48E
SHA-256:	4BEE7D558A5346BFFA5CC2393B579BD8ABBDD6BEEF0EDE8E71AEAE10DD5FF207
SHA-512:	62D64664DC307C423BCE2EF3BE545026DFDC120598E42B22AB51A2F1C139BE7D2C083E68D03605F8E85CEB764DC8E9B51F6D51F12EA4D67C33123CDF47D99CE3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 47%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..l..HA................@..............................J......TA...`... .......................................G.N.....G.X....PG......`;.(i............H.8?...........................K;.(.....................G.X............................text.....l.......l.................`.``.data.........l.......l.............@.`..rdata..0.....s.......s.............@.`@.pdata..(i...`;..j...H;.............@.0@.xdata..P.....=.......=.............@.0@.bss.... .....=.......................`..edata..N.....G.......=.............@.0@.idata..X.....G.......=.............@.0..CRT....p....0G.......=.............@.@..tls.........@G.......=.............@.@..rsrc........PG..0....=.............@.0..reloc..8?....H..@....?.............@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\Cookies\Chrome_Default.txt

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	6085
Entropy (8bit):	6.038274200863744
Encrypted:	false
SSDEEP:	96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
MD5:	ACB5AD34236C58F9F7D219FB628E3B58
SHA1:	02E39404CA22F1368C46A7B8398F5F6001DB8F5C
SHA-256:	05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
SHA-512:	5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.google.com.TRUE./.TRUE.1712145003.NID.ENC893_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\History\Firefox_fqs92o4p.default-release.txt

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.911305722693245
Encrypted:	false
SSDEEP:	3:N8DSLvIJiMgTE2WdkQUl7R8DSLvIJiMhKVX3L2WdkQUlv:2OLciodq7R8OLciA8dqv
MD5:	978B9515D3688A43726604AC169DF379
SHA1:	D61293AB99332FC45CAE37D78AB17A5DA5BCD189
SHA-256:	CDEF3FB1CE312E4B67DC5F1B1F9FB551241C08564FDB26AFA4CBF448BB02EA65
SHA-512:	86146AA576129B73743B1EBC0BC60880FDA58A11498048B3C68284C4520F1ADC324D016696B0E995A51AC56966E0F38B0AF12458A986868701C6AAAA89C829CB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	https://www.mozilla.org/privacy/firefox/.1696333827..https://www.mozilla.org/en-US/privacy/firefox/.1696333827..

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\information.txt

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	5346
Entropy (8bit):	5.320945751433256
Encrypted:	false
SSDEEP:	96:xzZPBuRUoQcT4Aisph+9hcmz+GftHToANUbg3x:xyGoQvAtphWhcmz+GHB
MD5:	1223F1E6639681C771D2ACC0A1E3855C
SHA1:	BE2B113015854F03D5CFAE4504EED8BA53C83316
SHA-256:	08861592823B784CF1097B4C30AD16C3C9C006F5740820A91FD856277A9E0333
SHA-512:	CC75082B7D0F62D1CA07D9828975C449E4281AF6233572BCD607D79F811A55DCD054BBF66E651A29F4C79738B7B59EE215594A6D88AF80D35533BA51F3778BB0
Malicious:	false
Reputation:	low
Preview:	Build: default..Version: 1.7....Date: Fri Mar 29 09:52:18 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: c7fc9cec10a0ccc99d2aed642316ca86....Path: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK....IP: 102.165.48.43..Location: US, Washington..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 506407 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 29/3/2024 9:52:18..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.ex

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\passwords.txt

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	2.518316437186352
Encrypted:	false
SSDEEP:	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
MD5:	B3E9D0E1B8207AA74CB8812BAAF52EAE
SHA1:	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
SHA-256:	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
SHA-512:	B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\screenshot.png

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	711390
Entropy (8bit):	7.926039821425995
Encrypted:	false
SSDEEP:	12288:Yr0TCybz8atmfvuws3ej+LjJP0EMr2NZ61X49kbf+Lef9NvLJ1Dvi:Yr0TCybzZmHuyiPJcEtZ619bBf9Nv3Da
MD5:	FC095005D226AFC7C9834E94BDF42A21
SHA1:	16CC433E86E00617D5B17593FC0C8DB0D89F3A2A
SHA-256:	BAE5B778D819BE2AF729DBF18483AC6F8F9ED9E85D0A0E01972C232D26BA6F08
SHA-512:	964280173F5085E841270A3F7A80447206D09D3949FE0C135A7E6492A7ECAC843CD06B6F1A62CC8043FC82CF72624FB28A8C7F92649B471066476B3398AF1699
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....]..s.U.zt......W.Ww.]U..._......69HBd.......1..0Y........&.@..9. .....0...........<..s..e..Xk.5.....l..s.].].F.-k....qnvlE......-..F.......6..:.vn.s.s^oD..H_F=.W/..=-}g.R?ku...A_.^.}..~......;.....S_]..f..S...O......S?qE[.N(......X....JG..p..]V.7B..<".~......{J.{/tE_F.....w.V.....w..!..\K...q}........\|.....t..O...aKJ.......hI.F.W./.J\..w..r..../=^.....\|).Wl...XK.?....G...-...#.....c.<Gc..1..}..k,...........<4.;o..\| ..^..}.00..!...@..SK....>....q1O0f..A...'#....s...q..........q..{.0.<...7.q...U...\|0.?0.q......}1>...w.)6..{..c.~1......(..X..{/....>....{.1......./L.9.b;.X..O^....'.1......Z....!..{-......0..3..1/Q...6q...}.osi.........P........g...}......`.....mm.;S...%.........?......~wj5Vl`....q.].J0....5.w...........8&'.....&.<b}..;..O.3.M.#.....7B.>..j...q.........5;.iq}l5....v.=.O..}b.....&........k....;..j..b.....s......bB..

C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	699426
Entropy (8bit):	7.997663873659064
Encrypted:	true
SSDEEP:	12288:tyew37DsWKZ2pMzTYoO2kQJHM+RDZoBlWc9jFtL53UJjgfBG5FkT4:tyewrKLYoO2kYDZMlZX95AsZ+Fk8
MD5:	D43F959A9FB0C3623E71D9436F1DBEBD
SHA1:	296E7B8B86AB54598185C99656D15B2C9DCEC0CF
SHA-256:	8CBDA65FA1D7ECF05A2B0171DDC94D7E94FCDC0472607181A0210A6680E78753
SHA-512:	4590F8EA39A0E826BA5730C74958751E6C9253113F9DF3EEE62270517B92F319CB3D35A898CB9929BBC995ADA5291A5EFE75635463FA9973B5189675A0EDE5AA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip, Author: Joe Security
Preview:	PK.........N}X................Cookies\..PK.........N}XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E..l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3Ap.U5UX....Z.g:e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d\|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O\|.....>K......L...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u\|....v...3.;L..U?..b.....u....... .......F...P.a...\|R3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\02zdBXl47cvzcookies.sqlite

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\3b6N2Xdh3CYwplaces.sqlite

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\5tU4KAXUt9OSHistory

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\6wUviFtkLbmKHistory

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\D87fZN3R3jFeplaces.sqlite

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\E7Z56Nq_1sMBWeb Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\K_00k_T5Oq4gLogin Data For Account

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\PJtnoOjdEp4lWeb Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\QJXLTeG3O9FPCookies

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\TEtREnT7JaI7Login Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\_yZ506nUxjW4Web Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\dQLVfhd8fARCWeb Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\hnCoccud199lHistory

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\iESNtbPBNR52Login Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\jAjfxjmkXEluHistory

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\jKXEuRSxIEMXWeb Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\jMRljO8o4ModWeb Data

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.476356034801967
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	MXpl6HFisn.exe
File size:	21'056'512 bytes
MD5:	0aadbca2d0a26b8f90fd4f31cb7f2ffc
SHA1:	57246459c3890dfcd49fb792cc55a45e3bd6c48e
SHA256:	4bee7d558a5346bffa5cc2393b579bd8abbdd6beef0ede8e71aeae10dd5ff207
SHA512:	62d64664dc307c423bce2ef3be545026dfdc120598e42b22ab51a2f1c139be7d2c083e68d03605f8e85ceb764dc8e9b51f6d51f12ea4d67c33123cdf47d99ce3
SSDEEP:	98304:rFrNAOGfsjEhnR91LLdASLKR7jjYLgIXW86sfr9rmp4QJEf3v5EzlNTDLjDvIy0:3G0jEhnlLLdAdjjY84NAEf3vaBNHjc
TLSH:	9E274943E96544E8C0ADD534C5668262BB71BC488B3137D72BA0FB782F76BD0AE79710
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..l..HA................@..............................J......TA...`... ............................

File Icon


Icon Hash:	13459ab2b25a6517

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x406c1520, 0x1, 0x406c14f0, 0x1, 0x406c4f90, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	c595f1660e1a3c84f4d9b0761d23cd7a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [013B3CD5h]
mov dword ptr [eax], 00000001h
call 00007F9E14FC56CFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [013B3CB5h]
mov dword ptr [eax], 00000000h
call 00007F9E14FC56AFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F9E1569080Ch
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F9E14FC59E9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and dh, byte ptr [esi]
xor byte ptr [eax+35h], cl
outsb
bound esi, dword ptr [edi]
outsb
arpl word ptr [esi], si
pop edi
pop ecx
push ecx
imul esi, dword ptr [esi], 49597369h
push 0000002Fh
dec eax
xor eax, 4E587041h
xor byte ptr [esi+51h], cl
insd
inc ebp
xor byte ptr [36723131h], dh
inc edi
dec ebx
das
jne 00007F9E14FC5A64h
dec edi
cmp byte ptr [ecx+76h], dl
cmp dword ptr [esi+35h], esi
pop ecx
xor eax, 00007237h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1470000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1471000	0x1458	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1475000	0x12e98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x13b6000	0x26928	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1488000	0x23f38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13b4b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1471494	0x458	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6cbac0	0x6cbc00	3a3601525da8761b1eb0a340212cf518	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x6cd000	0x6cdb0	0x6ce00	eb594568ff57faa673dd863ef95ee5e6	False	0.31138328788748565	dBase III DBT, version number 0, next free block index 10, 1st item "nkalti/backoff/v3\011v3.0.0\011h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c="	4.748732255503778	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x73a000	0xc7b930	0xc7ba00	f5aface59debe050022ea8cae52ab5c3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x13b6000	0x26928	0x26a00	fe29e22ae8b4694fbb9f22ea59540cf7	False	0.40243856189320387	data	5.940748306238338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x13dd000	0xc50	0xe00	c9bbd713e749d858e5a7e9e0e5621a62	False	0.25864955357142855	data	3.9997040298344486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x13de000	0x91520	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1470000	0x4e	0x200	29b57eede7f054d66fa260227508fb6d	False	0.08984375	data	0.6553641017611729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x1471000	0x1458	0x1600	d956be78470099513c0824179955dfe7	False	0.29847301136363635	data	4.593096815007166	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1473000	0x70	0x200	9e58f747daf2242773bf8094b32b8893	False	0.083984375	data	0.47677526113352753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1474000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1475000	0x12e98	0x13000	6b00c9a39872e28f476499762ac7b572	False	0.4592542146381579	data	5.849528840289981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1488000	0x23f38	0x24000	186f17491d63553ae419bec122302f45	False	0.20198567708333334	data	5.452114043355917	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1475370	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42338709677419356
RT_ICON	0x1475658	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.5101351351351351
RT_ICON	0x1475780	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.40298507462686567
RT_ICON	0x1476628	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.5464801444043321
RT_ICON	0x1476ed0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.6047687861271677
RT_ICON	0x1477438	0x5c48	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9979258381307146
RT_ICON	0x147d080	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.10640056683986773
RT_ICON	0x14812a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.20715767634854773
RT_ICON	0x1483850	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.2334319526627219
RT_ICON	0x14852b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.19090056285178236
RT_ICON	0x1486360	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.35327868852459016
RT_ICON	0x1486ce8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.39127906976744187
RT_ICON	0x14873a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.3342198581560284
RT_GROUP_ICON	0x1487808	0xbc	data			0.6702127659574468
RT_VERSION	0x14878c4	0x2a8	data	English	United States	0.47058823529411764
RT_MANIFEST	0x1487b6c	0x32c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4642857142857143

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/29/24-09:52:15.811203	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49730	95.216.41.236	192.168.2.4
03/29/24-09:52:21.606984	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49730	50500	192.168.2.4	95.216.41.236
03/29/24-09:52:16.065250	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	50500	49730	95.216.41.236	192.168.2.4
03/29/24-09:52:25.278346	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49739	95.216.41.236	192.168.2.4
03/29/24-09:52:33.605110	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49743	95.216.41.236	192.168.2.4
03/29/24-09:52:25.741725	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49740	95.216.41.236	192.168.2.4
03/29/24-09:52:15.776952	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49730	50500	192.168.2.4	95.216.41.236
03/29/24-09:52:23.971378	TCP	2049660	ET TROJAN RisePro CnC Activity (Outbound)	50500	49730	95.216.41.236	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 09:52:15.403074026 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:15.607089043 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:15.607203960 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:15.776952028 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:15.811203003 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:15.861314058 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:15.980807066 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:15.980928898 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:16.065249920 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:16.110129118 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:16.225837946 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:16.240926027 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.240947962 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.241018057 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.243802071 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.243819952 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.514143944 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.514226913 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.516618967 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.516630888 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.516859055 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.559035063 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.559660912 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.604228020 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.793872118 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.793982029 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.794071913 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.801991940 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.802006960 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.802042961 CET	49732	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:16.802047968 CET	443	49732	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:16.907232046 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:16.907263994 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:16.907330990 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:16.907660007 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:16.907670021 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.110066891 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.110129118 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:17.111785889 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:17.111793995 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.112020016 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.113066912 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:17.156244993 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.381699085 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.381774902 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.381850004 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:17.381994963 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:17.382005930 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.382029057 CET	49734	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:17.382035017 CET	443	49734	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:17.382339954 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:17.590552092 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:17.595273972 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:17.804805994 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:17.811084032 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:18.023627043 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:18.044038057 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:18.252588987 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:18.267838955 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:18.476484060 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:18.517755985 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:19.900731087 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:19.906291962 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.110332966 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.110402107 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.110438108 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.110450983 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.110502005 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.110516071 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.110539913 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.110563993 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.110603094 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.150521994 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.150619984 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.314565897 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.314578056 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.314631939 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.314913988 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.314954996 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.315009117 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.315057039 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.315095901 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.315140009 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.315164089 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.315221071 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.315279007 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.315331936 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.315388918 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.315432072 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.315563917 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.315608025 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.354368925 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.354419947 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.518640041 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.518657923 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.518671036 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.518681049 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.518723011 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.518740892 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.518786907 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.518862009 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519020081 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.519105911 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519303083 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519360065 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.519386053 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519429922 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.519464016 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519521952 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.519568920 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519658089 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.519706011 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519799948 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519825935 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.519850969 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.519876957 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.558377981 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.558576107 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.723084927 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723104954 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723169088 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.723201036 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723241091 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.723278046 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723325014 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.723328114 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723449945 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723500013 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.723709106 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723763943 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723764896 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.723892927 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.723953962 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.723998070 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.724083900 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.724128962 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.724255085 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.724306107 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.724505901 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.724534035 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.724551916 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.724577904 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.724664927 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.724775076 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.724889994 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.724939108 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.724968910 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725012064 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.725054026 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725117922 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.725159883 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725203991 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.725235939 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725307941 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.725434065 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725476980 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.725548029 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725564003 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725610971 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.725687981 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725733995 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.725923061 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.725985050 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726003885 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726073027 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726083040 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726121902 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726351976 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726392984 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726418018 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726449966 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726480961 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726496935 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726614952 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726672888 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726763964 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726809978 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.726860046 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.726949930 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.727037907 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.727088928 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.727358103 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.727399111 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.727411032 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.727437973 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.762423038 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.762475014 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.762481928 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.762525082 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.762654066 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.762722015 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.762782097 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.762991905 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.927229881 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927247047 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927265882 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927284002 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927300930 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927320957 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.927366018 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.927385092 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927421093 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927483082 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.927500010 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927546978 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.927759886 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927802086 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.927825928 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.927892923 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928040028 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928098917 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928121090 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928209066 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928232908 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928250074 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928343058 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928378105 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928389072 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928412914 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928438902 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928462982 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928538084 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928601980 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928625107 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928659916 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928682089 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928735971 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928806067 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928827047 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928874016 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.928930044 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.928965092 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929019928 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929039955 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929054976 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929162025 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929189920 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929208040 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929233074 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929286003 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929347038 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929374933 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929450989 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929462910 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929511070 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929569006 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929640055 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929698944 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929708958 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929764032 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929832935 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929850101 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929883957 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929902077 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.929922104 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.929991961 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.930012941 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930085897 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.930134058 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930167913 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930179119 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.930227995 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.930275917 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930330038 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.930383921 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930447102 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.930454969 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930509090 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930557966 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:20.930597067 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930682898 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.930841923 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.931168079 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.931253910 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.931269884 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.931339025 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.931410074 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.931484938 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.931579113 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.966511011 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.966597080 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.966707945 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.966933966 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.966985941 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.967363119 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.967411041 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:20.967458010 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131603956 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131622076 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131639004 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131697893 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131776094 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131921053 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131979942 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.131994009 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132188082 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132323980 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132427931 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132529974 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132582903 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132664919 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132742882 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132817030 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132880926 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.132972956 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133024931 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133137941 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133235931 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133306026 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133430004 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133512974 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133554935 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133650064 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133758068 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133816004 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.133856058 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134016037 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134032965 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134103060 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134186983 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134306908 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134385109 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134483099 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134582996 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134697914 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134746075 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134768963 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134902000 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.134952068 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135020018 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135245085 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135327101 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135390997 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135441065 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135550022 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135643005 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135776043 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135853052 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.135931015 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136034012 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136096954 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136195898 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136250973 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136382103 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136588097 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136640072 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.136907101 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137068033 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137181044 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137193918 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137345076 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137568951 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137600899 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137689114 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137856960 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.137934923 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138005018 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138092041 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138175964 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138254881 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138329983 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138421059 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138477087 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138580084 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138670921 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138870001 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138881922 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.138906956 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.139034033 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.139081001 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.139112949 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:21.139195919 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.139213085 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.343008041 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.343024015 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:21.606983900 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:21.851656914 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.959110975 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971378088 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971400023 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971426010 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:23.971467018 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971518040 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971555948 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:23.971563101 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971630096 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971666098 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971674919 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:23.971712112 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:23.971750021 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971762896 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971798897 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971801043 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:23.971827984 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:23.971919060 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.176160097 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176183939 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176235914 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.176256895 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176326036 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176368952 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.176383972 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176434040 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176476955 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.176517010 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176598072 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176652908 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176656008 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.176676989 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.176718950 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.176981926 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177026033 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177062988 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.177071095 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177151918 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177174091 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177191973 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.177249908 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177289963 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.177303076 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177437067 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177481890 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.177511930 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177545071 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177584887 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.177648067 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177696943 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.177737951 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380006075 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380022049 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380033016 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380043983 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380058050 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380086899 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380095959 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380110025 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380145073 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380157948 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380158901 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380192041 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380192995 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380501032 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380513906 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380527020 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380553961 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380562067 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380564928 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380573988 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380605936 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380610943 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380636930 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380650043 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380676031 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380706072 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380711079 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380733967 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380748034 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380779982 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380806923 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380827904 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380867958 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380877018 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380888939 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380925894 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380939007 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380944967 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.380953074 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.380973101 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381016970 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381072044 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381079912 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381118059 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381130934 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381165028 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381165028 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381174088 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381186008 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381197929 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381211042 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381222010 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381238937 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381309986 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381347895 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381362915 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381398916 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381510019 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381705999 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381747961 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381817102 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381865978 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381879091 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.381911993 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.381911993 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.583936930 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584372044 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584412098 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584427118 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584431887 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584438086 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584461927 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584491968 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584503889 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584513903 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584525108 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584533930 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584574938 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584583998 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584585905 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584610939 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584634066 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584692955 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584741116 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584769964 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584800959 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584822893 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584846020 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584857941 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.584886074 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.584938049 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585001945 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585014105 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585043907 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585088015 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585088968 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585156918 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585213900 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585258007 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585273981 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585305929 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585342884 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585376978 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585413933 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585417986 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585472107 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585514069 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585561037 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585562944 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585621119 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585668087 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585669994 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585712910 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585721970 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585763931 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585803986 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585834026 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585877895 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585925102 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.585928917 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.585985899 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586029053 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586076975 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586077929 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586142063 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586189032 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586189985 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586237907 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586250067 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586287975 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586338997 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586342096 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586410046 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586431980 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586474895 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586488008 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586498976 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586509943 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586541891 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586541891 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586555004 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586566925 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586602926 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586647987 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586658001 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586668015 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586679935 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586707115 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586734056 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586743116 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586755037 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586764097 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586795092 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586846113 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586858988 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586869001 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586879969 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586889982 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586890936 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586900949 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586920977 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586930990 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586930990 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586937904 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586962938 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.586966991 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.586990118 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587001085 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587033033 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587050915 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587050915 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587055922 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587084055 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587097883 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587110043 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587142944 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587142944 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587156057 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587198973 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587204933 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587218046 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587239027 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587249994 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587260008 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587260008 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587297916 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587304115 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587344885 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587348938 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587389946 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587400913 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587429047 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587447882 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587486982 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587495089 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.587502956 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.587657928 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788114071 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788131952 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788144112 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788198948 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788212061 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788228989 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788240910 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788244009 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788253069 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788280010 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788280964 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788301945 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788309097 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788413048 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788425922 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788436890 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788450956 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788460970 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788472891 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788475990 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788475990 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788491011 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788512945 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788532972 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788544893 CET	50500	49730	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:24.788558006 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.788598061 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:24.870301962 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.074090958 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:25.074197054 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.278346062 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:25.279201984 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.324819088 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.483218908 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:25.483356953 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.533127069 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:25.533267021 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.555130959 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.727751017 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:25.741724968 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:25.763021946 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:25.763155937 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.861428022 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:25.971051931 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:26.017575026 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:26.110364914 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:26.230674982 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.230705023 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.230884075 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.231795073 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.231806040 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.499058008 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.499154091 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.524405956 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.524420023 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.524610043 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.575359106 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.620240927 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.783081055 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.783188105 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.783312082 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.783554077 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.783567905 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.783585072 CET	49741	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:26.783590078 CET	443	49741	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:26.784960985 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:26.784992933 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:26.785063982 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:26.785335064 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:26.785346031 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:26.983164072 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:26.983270884 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:26.984348059 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:26.984354019 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:26.984560013 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:26.985836029 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:27.028234959 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:27.259219885 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:27.259305954 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:27.259404898 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:27.259758949 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:27.259773970 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:27.259790897 CET	49742	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:27.259794950 CET	443	49742	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:27.260297060 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:27.474915028 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:27.486480951 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:27.699157000 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:27.705178976 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:27.861443043 CET	49730	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:27.918617010 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:27.924113989 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:28.137654066 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:28.142750025 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:28.356585026 CET	50500	49740	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:28.408198118 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:28.533381939 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:28.579868078 CET	49740	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:28.744523048 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:28.798820972 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:33.185117006 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:33.395116091 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:33.395231009 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:33.414874077 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:33.605109930 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:33.624623060 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:33.624780893 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:33.721302986 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:33.834753990 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:33.877491951 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:33.972068071 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:34.089683056 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.089714050 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.089843988 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.090833902 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.090850115 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.357686996 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.357769966 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.358900070 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.358911037 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.359144926 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.400988102 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.448236942 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.691363096 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.691472054 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.691523075 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.691951990 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.691967010 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.691977978 CET	49744	443	192.168.2.4	34.117.186.192
Mar 29, 2024 09:52:34.691986084 CET	443	49744	34.117.186.192	192.168.2.4
Mar 29, 2024 09:52:34.693756104 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:34.693784952 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:34.693844080 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:34.694108009 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:34.694125891 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:34.891283035 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:34.891382933 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:34.892350912 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:34.892358065 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:34.892577887 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:34.893893957 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:34.940238953 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:35.155411959 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:35.155486107 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:35.155531883 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:35.155734062 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:35.155741930 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:35.155775070 CET	49745	443	192.168.2.4	104.26.5.15
Mar 29, 2024 09:52:35.155780077 CET	443	49745	104.26.5.15	192.168.2.4
Mar 29, 2024 09:52:35.156440020 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:35.371289968 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:35.377690077 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:35.592302084 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:35.596426010 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:35.811886072 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:35.815062046 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:36.029678106 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:36.040684938 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:36.256264925 CET	50500	49743	95.216.41.236	192.168.2.4
Mar 29, 2024 09:52:36.299329996 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:36.497826099 CET	49743	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:59.785238981 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:52:59.996463060 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:00.049362898 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:15.252811909 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:15.462970972 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:15.518178940 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:21.549491882 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:21.761274099 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:21.814986944 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:25.025491953 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:25.238485098 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:25.283745050 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:28.283864975 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:28.495157957 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:28.549364090 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:31.549534082 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:31.761509895 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:31.814963102 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:34.815105915 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:35.026787043 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:35.080615997 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:38.080696106 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:38.292431116 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:38.346312046 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:41.346355915 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:41.560314894 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:41.658716917 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:44.830986977 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:45.043648958 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:45.143245935 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:48.080950022 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:48.291970015 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:48.455594063 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:51.330846071 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:51.541327000 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:51.658720970 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:54.580775976 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:54.792592049 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:54.846220970 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:55.280529022 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:55.280685902 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:55.525907993 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:58.315921068 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:53:58.527532101 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:53:58.658725023 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:01.580230951 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:01.792102098 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:01.961574078 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:04.910082102 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:05.121825933 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:05.349014044 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:08.174408913 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:08.385802984 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:08.455595970 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:11.424418926 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:11.635817051 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:11.846220016 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:14.676002979 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:14.886895895 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:14.955600023 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:17.928812027 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:18.140894890 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:18.252485991 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:22.127553940 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:22.339287996 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:22.455715895 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:25.393405914 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:25.604224920 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:25.752573013 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:28.645076990 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:28.856411934 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:28.955595970 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:31.895070076 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:32.106734991 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:32.252492905 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:35.164869070 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:35.376229048 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:35.455610991 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:38.652957916 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:38.863168955 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:38.955614090 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:42.143204927 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:42.354347944 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:42.455598116 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:45.393176079 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:45.604057074 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:45.661122084 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:48.644686937 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:48.855670929 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:49.050008059 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:51.893184900 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:52.105062962 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:52.158720016 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:55.143279076 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:55.354548931 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:55.455647945 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:58.409810066 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:54:58.619815111 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:54:58.846257925 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:01.662570953 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:01.872827053 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:01.955588102 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:04.908973932 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:05.119431019 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:05.346225023 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:08.177366972 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:08.388556004 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:08.456573963 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:11.440179110 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:11.650518894 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:11.752479076 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:14.707612038 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:14.919862986 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:15.174442053 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:18.587019920 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:18.797868013 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:18.861855030 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:21.846363068 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:22.057012081 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:22.158718109 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:25.117132902 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:25.281995058 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:25.346282005 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:25.363209963 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:25.363449097 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:25.551270008 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:25.607762098 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:25.658729076 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:28.580676079 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:28.792134047 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:28.846230984 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:31.849064112 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:32.060343981 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:32.158736944 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:35.137706995 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:35.347902060 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:35.455600977 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:38.471355915 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:38.682786942 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:38.846239090 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:41.721306086 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:41.932992935 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:42.158726931 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:44.987236023 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:45.198513031 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:45.346230030 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:48.236948967 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:48.448401928 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:48.658751011 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:51.490940094 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:51.701431990 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:51.861891031 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:54.783850908 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:54.995332956 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:55.151170969 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:58.050062895 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:55:58.262820959 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:55:58.455607891 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:56:01.301414967 CET	49739	50500	192.168.2.4	95.216.41.236
Mar 29, 2024 09:56:01.513436079 CET	50500	49739	95.216.41.236	192.168.2.4
Mar 29, 2024 09:56:01.643199921 CET	49739	50500	192.168.2.4	95.216.41.236

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 09:52:16.139003992 CET	51947	53	192.168.2.4	1.1.1.1
Mar 29, 2024 09:52:16.234750986 CET	53	51947	1.1.1.1	192.168.2.4
Mar 29, 2024 09:52:16.809196949 CET	64801	53	192.168.2.4	1.1.1.1
Mar 29, 2024 09:52:16.906254053 CET	53	64801	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 09:52:16.139003992 CET	192.168.2.4	1.1.1.1	0xb79a	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Mar 29, 2024 09:52:16.809196949 CET	192.168.2.4	1.1.1.1	0x498b	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 09:52:16.234750986 CET	1.1.1.1	192.168.2.4	0xb79a	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Mar 29, 2024 09:52:16.906254053 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
Mar 29, 2024 09:52:16.906254053 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Mar 29, 2024 09:52:16.906254053 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

ipinfo.io

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	34.117.186.192	443	2004	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-29 08:52:16 UTC	238	OUT	GET /widget/demo/102.165.48.43 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: ipinfo.io
2024-03-29 08:52:16 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 29 Mar 2024 08:52:16 GMT content-type: application/json; charset=utf-8 Content-Length: 1021 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-03-29 08:52:16 UTC	738	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 Data Ascii: { "input": "102.165.48.43", "data": { "ip": "102.165.48.43", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS174 Cogent Communications", "postal": "20004", "time
2024-03-29 08:52:16 UTC	283	IN	Data Raw: 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 47 72 6f 75 6e 64 20 46 6c 6f 6f 72 2c 20 34 20 56 69 63 74 6f 72 69 61 20 53 71 75 61 72 65 2c 20 53 74 20 41 6c 62 61 6e 73 2c 20 48 65 72 74 66 6f 72 64 73 68 69 72 65 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 47 42 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 45 64 76 69 6e 61 73 20 52 61 63 6b 61 75 73 6b 61 73 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 30 32 2e 31 36 35 2e 30 2e 30 2f 31 38 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 74 65 6c 3a 2b Data Ascii: ": { "address": "Ground Floor, 4 Victoria Square, St Albans, Hertfordshire, London, United Kingdom", "country": "GB", "email": "abuse@ipxo.com", "name": "Edvinas Rackauskas", "network": "102.165.0.0/18", "phone": "tel:+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.26.5.15	443	2004	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-29 08:52:17 UTC	262	OUT	GET /demo/home.php?s=102.165.48.43 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: db-ip.com
2024-03-29 08:52:17 UTC	650	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 08:52:17 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC462770:7E7A_93878F2E:0050_66068141_5D18FA2:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OuWNM3tE9REjuZiYqAR6K89tQaI4w0RPwI7rgPElehYjnPz35vmhAwTzieGN%2Bc3AJ7FS2F9yuJBpWQVm0bDENcKVI8CaoVD8s22m1LBSZBzvQA5gcqaRxEyHOw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86be9f780ddf07f5-IAD alt-svc: h3=":443"; ma=86400
2024-03-29 08:52:17 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-03-29 08:52:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	34.117.186.192	443	6884	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-29 08:52:26 UTC	238	OUT	GET /widget/demo/102.165.48.43 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: ipinfo.io
2024-03-29 08:52:26 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 29 Mar 2024 08:52:26 GMT content-type: application/json; charset=utf-8 Content-Length: 1021 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-03-29 08:52:26 UTC	738	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 Data Ascii: { "input": "102.165.48.43", "data": { "ip": "102.165.48.43", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS174 Cogent Communications", "postal": "20004", "time
2024-03-29 08:52:26 UTC	283	IN	Data Raw: 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 47 72 6f 75 6e 64 20 46 6c 6f 6f 72 2c 20 34 20 56 69 63 74 6f 72 69 61 20 53 71 75 61 72 65 2c 20 53 74 20 41 6c 62 61 6e 73 2c 20 48 65 72 74 66 6f 72 64 73 68 69 72 65 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 47 42 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 45 64 76 69 6e 61 73 20 52 61 63 6b 61 75 73 6b 61 73 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 30 32 2e 31 36 35 2e 30 2e 30 2f 31 38 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 74 65 6c 3a 2b Data Ascii: ": { "address": "Ground Floor, 4 Victoria Square, St Albans, Hertfordshire, London, United Kingdom", "country": "GB", "email": "abuse@ipxo.com", "name": "Edvinas Rackauskas", "network": "102.165.0.0/18", "phone": "tel:+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	104.26.5.15	443	6884	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-29 08:52:26 UTC	262	OUT	GET /demo/home.php?s=102.165.48.43 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: db-ip.com
2024-03-29 08:52:27 UTC	652	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 08:52:27 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46862F:F06E_93878F2E:0050_6606814B_5D259EA:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bPMnrHLN5plVswiQrku4sGUHHAPbBTrirr2JWxLjZYoQSi7gcKE2SqyjpcrWVUNoERmeqFrwj3f7Dnro2nxds62sBfNhrHQ1UrD%2FGJIXI%2FGwsz50eFt8JJSRLw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86be9fb5cb659c72-IAD alt-svc: h3=":443"; ma=86400
2024-03-29 08:52:27 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-03-29 08:52:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	34.117.186.192	443	5500	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-29 08:52:34 UTC	238	OUT	GET /widget/demo/102.165.48.43 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: ipinfo.io
2024-03-29 08:52:34 UTC	515	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 29 Mar 2024 08:52:34 GMT content-type: application/json; charset=utf-8 Content-Length: 1021 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 52 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-03-29 08:52:34 UTC	737	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 Data Ascii: { "input": "102.165.48.43", "data": { "ip": "102.165.48.43", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS174 Cogent Communications", "postal": "20004", "time
2024-03-29 08:52:34 UTC	284	IN	Data Raw: 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 47 72 6f 75 6e 64 20 46 6c 6f 6f 72 2c 20 34 20 56 69 63 74 6f 72 69 61 20 53 71 75 61 72 65 2c 20 53 74 20 41 6c 62 61 6e 73 2c 20 48 65 72 74 66 6f 72 64 73 68 69 72 65 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 47 42 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 45 64 76 69 6e 61 73 20 52 61 63 6b 61 75 73 6b 61 73 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 30 32 2e 31 36 35 2e 30 2e 30 2f 31 38 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 74 65 6c 3a Data Ascii: e": { "address": "Ground Floor, 4 Victoria Square, St Albans, Hertfordshire, London, United Kingdom", "country": "GB", "email": "abuse@ipxo.com", "name": "Edvinas Rackauskas", "network": "102.165.0.0/18", "phone": "tel:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	104.26.5.15	443	5500	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-29 08:52:34 UTC	262	OUT	GET /demo/home.php?s=102.165.48.43 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: db-ip.com
2024-03-29 08:52:35 UTC	656	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 08:52:35 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC4626BA:A362_93878F2E:0050_66068153_5D19211:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f0FKDPeeOaUnBCZFQpkMpZMMYBCycn3kmu0dGghx%2BuPryEXGEFwr6m7%2BewDigl%2BLHUQfaJi4%2FYgxqeUVnTRwriLdhHuaUQtQoWAcJaS6mo6Lj8zyyRE3ckg2NA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86be9fe7383a394f-IAD alt-svc: h3=":443"; ma=86400
2024-03-29 08:52:35 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-03-29 08:52:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:51:55
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\MXpl6HFisn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\MXpl6HFisn.exe"
Imagebase:	0x7ff6a5780000
File size:	21'056'512 bytes
MD5 hash:	0AADBCA2D0A26B8F90FD4F31CB7F2FFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1769068121.000000C0026F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:52:06
Start date:	29/03/2024
Path:	C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe"
Imagebase:	0x7ff7b7920000
File size:	21'056'512 bytes
MD5 hash:	0AADBCA2D0A26B8F90FD4F31CB7F2FFC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000001.00000002.1871116463.000000C002598000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 42%, ReversingLabs Detection: 47%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:52:11
Start date:	29/03/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x670000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000002.00000003.1836476956.0000000005203000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:52:14
Start date:	29/03/2024
Path:	C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe"
Imagebase:	0x7ff7b7920000
File size:	21'056'512 bytes
MD5 hash:	0AADBCA2D0A26B8F90FD4F31CB7F2FFC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000004.00000002.1962242072.000000C0025AA000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000004.00000002.1959576006.000000C0006B2000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:52:21
Start date:	29/03/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x670000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:52:28
Start date:	29/03/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x670000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	4.9%
Signature Coverage:	14.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	170

Executed Functions

Function 02A0C390 Relevance: 95.9, APIs: 43, Strings: 11, Instructions: 1449
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,B6A7AF8C,00000000,00020019,00000000), ref: 02A0C63D
RegQueryValueExA.KERNELBASE(00000000,8A828192,00000000,00020019,?,00000400), ref: 02A0C6B3
RegCloseKey.ADVAPI32(00000000), ref: 02A0C6E8
GetCurrentHwProfileA.ADVAPI32(?), ref: 02A0C78F

Strings

t{fx, xrefs: 02A0D5AA
qwli, xrefs: 02A0DB1B
@, xrefs: 02A0D733
default, xrefs: 02A0C487, 02A0C48E, 02A0C4C4
n|}, xrefs: 02A0DB39
1.7, xrefs: 02A0C4D5, 02A0C4E3, 02A0C51D
iT\d, xrefs: 02A0DB25
W<, xrefs: 02A0D5B4
qkfc, xrefs: 02A0D5A0
bb~z, xrefs: 02A0DB2F
?, xrefs: 02A0DC19

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CloseCurrentOpenProfileQueryValue
String ID: 1.7$?$@$W<$bb~z$default$iT\d$n|}$qkfc$qwli$t{fx
API String ID: 1240309278-3835243323
Opcode ID: b4714488c6441582af84570f93b940c8a2156c14fcb865fd150062367bc2f414
Instruction ID: 493583ebac19ca0e260bf1746ecd3cdb537b11a0ab5c552804345e512e65bd0f
Opcode Fuzzy Hash: b4714488c6441582af84570f93b940c8a2156c14fcb865fd150062367bc2f414
Instruction Fuzzy Hash: 39E227B1C402289EDB21DF90DD88BEEBBB9EF14304F4444D9D509A7281EB745B89CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A43090 Relevance: 93.6, APIs: 40, Strings: 12, Instructions: 2579fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02A43120
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 02A4317C
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02A43A39
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02A43BC1
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02A431AD

Part of subcall function 02A0A5F0: GetFileAttributesA.KERNELBASE ref: 02A0A61E
Part of subcall function 02A0A5F0: GetLastError.KERNEL32 ref: 02A0A629
Part of subcall function 02A0A5F0: __Mtx_unlock.LIBCPMT ref: 02A0A64E

CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 02A432E8
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02A43317
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02A43416
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 02A434ED
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 02A4354B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02A43686
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 02A43714
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02A4388B

Strings

-flh, xrefs: 02A4390A
p*q~, xrefs: 02A440E8
1, xrefs: 02A44B0B
meak, xrefs: 02A43CE9
s, xrefs: 02A440F2
Xx{e, xrefs: 02A43CDF
wkwg, xrefs: 02A44CD3
|z, xrefs: 02A43CFD
`l`t, xrefs: 02A43CD5
|>{a, xrefs: 02A43CF3
`m, xrefs: 02A44CDD
l, xrefs: 02A4602C

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CreateDirectoryFile$Copy$FolderPath$AttributesErrorLastMtx_unlock
String ID: -flh$1$Xx{e$`l`t$`m$l$meak$p*q~$s$wkwg$|>{a$|z
API String ID: 3083152970-1050508948
Opcode ID: 2e197690c0c2cc039398f62be8d137837ee3349a14440e165fee2f0aa49b2aef
Instruction ID: 387e4c7fc433f2538e039292883f1a79691018ee929a8f16ffecb3e15f6bdb38
Opcode Fuzzy Hash: 2e197690c0c2cc039398f62be8d137837ee3349a14440e165fee2f0aa49b2aef
Instruction Fuzzy Hash: C44381B0C442589ADF25EB64DE98BDEBB76AF25304F0440D9C84967281EF745B8CCF92

Uniqueness

Uniqueness Score: -1.00%

Function 02A0E0B0 Relevance: 91.0, APIs: 48, Strings: 3, Instructions: 1776fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,74DF3100,00000000,C8CFCA83,02A46009,00000000,C8CFCA83,C8CFCA84,74DF3100,?,00000000), ref: 02A0E1FB

Strings

y, xrefs: 02A132DB
., xrefs: 02A0E220
\, xrefs: 02A0FE76

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: FileFindFirst
String ID: .$\$y
API String ID: 1974802433-705995259
Opcode ID: 748cc823b659c78458c5be25257c283dd24f7a41ab80e3d7c7e51d18d88ed392
Instruction ID: 33150300379af39e6ede4e0f1b75d296ccac4c58fa6aae48a3f52a9947b5b9e8
Opcode Fuzzy Hash: 748cc823b659c78458c5be25257c283dd24f7a41ab80e3d7c7e51d18d88ed392
Instruction Fuzzy Hash: 3CD20171D002089FDF18DFA8EAC4BADBB76AF09304F144A59E416A76C1DF31AA45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A60400 Relevance: 82.7, APIs: 42, Strings: 4, Instructions: 2192COMMON

Download Yara Rule

APIs

Part of subcall function 02A43090: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02A43120
Part of subcall function 02A43090: CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 02A4317C
Part of subcall function 02A43090: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02A431AD

CreateDirectoryA.KERNELBASE(?,00000000,?,978DB083,02B32D14,00000033,978DB083,978DB084), ref: 02A604E5
GetFileAttributesA.KERNEL32(00000000,?,-00000034,0000004C,?,0000004C), ref: 02A606DF
GetLastError.KERNEL32(?,-00000034,0000004C,?,0000004C), ref: 02A606EA
__Mtx_unlock.LIBCPMT ref: 02A60709
__Mtx_unlock.LIBCPMT ref: 02A60718
CreateDirectoryA.KERNEL32(?,00000000,?,0000004C), ref: 02A6072F
GetFileAttributesA.KERNEL32(00000000,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A60910
GetLastError.KERNEL32(?,?,-00000034,0000004C,?,0000004C), ref: 02A6091B
__Mtx_unlock.LIBCPMT ref: 02A6093A
__Mtx_unlock.LIBCPMT ref: 02A6094F
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A6096C
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A60B4C
GetLastError.KERNEL32(?,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A60B57
__Mtx_unlock.LIBCPMT ref: 02A60B76
__Mtx_unlock.LIBCPMT ref: 02A60B85
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A60BA2
GetFileAttributesA.KERNEL32(00000000,83828F94,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A60E5C
GetLastError.KERNEL32(?,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A60E67
__Mtx_unlock.LIBCPMT ref: 02A60E86
__Mtx_unlock.LIBCPMT ref: 02A60E95
CreateDirectoryA.KERNEL32(00000000,00000000,?,83828F94,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 02A60EAC

Strings

\, xrefs: 02A61612
\, xrefs: 02A61963
\, xrefs: 02A61212
\, xrefs: 02A613CD

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Mtx_unlock$CreateDirectory$AttributesErrorFileLast$FolderPath
String ID: \$\$\$\
API String ID: 2196497886-3238275731
Opcode ID: 2d44e2d7b885e57f20b955ee3639ef403e736d6196ce94a178c9793c531639cf
Instruction ID: 58459115171681664478fef97da830cb79ebb99ddd809404e0ab416ccd322773
Opcode Fuzzy Hash: 2d44e2d7b885e57f20b955ee3639ef403e736d6196ce94a178c9793c531639cf
Instruction Fuzzy Hash: 1903D371D002588FEF18CB68CD88BFDBBB6AF09308F548599D40AA7791DB319A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A5B160 Relevance: 81.6, APIs: 40, Strings: 5, Instructions: 2868COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 02A5B28F
GetLastError.KERNEL32 ref: 02A5B29A
__Mtx_unlock.LIBCPMT ref: 02A5B2B9
__Mtx_unlock.LIBCPMT ref: 02A5B2C8
CreateDirectoryA.KERNELBASE(?,00000000), ref: 02A5B2FC
__Mtx_unlock.LIBCPMT ref: 02A5B309

Strings

\, xrefs: 02A5C9EC
\, xrefs: 02A5C754
\, xrefs: 02A5C5B0
_, xrefs: 02A5C93F
\, xrefs: 02A5D71F

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Mtx_unlock$AttributesCreateDirectoryErrorFileLast
String ID: \$\$\$\$_
API String ID: 2839272865-3392302647
Opcode ID: 26e5845d09027ef3ce89a667e0608f67a0653276a96a98ce2004fbaca75f7d31
Instruction ID: d18f59e7c8a7e37ebda1caf137fb348d8eaa1feab3082926f15855b268233fa7
Opcode Fuzzy Hash: 26e5845d09027ef3ce89a667e0608f67a0653276a96a98ce2004fbaca75f7d31
Instruction Fuzzy Hash: BA430570D002688FDB29CF68C988BEEBBB6EF05318F1445D9D84AA7255DF309A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A5D4C0 Relevance: 72.8, APIs: 25, Strings: 15, Instructions: 2783COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 02A5E4AD
GetLastError.KERNEL32 ref: 02A5E4B8
__Mtx_unlock.LIBCPMT ref: 02A5E4D7

Strings

-, xrefs: 02A5F6C7
k*17, xrefs: 02A5FAFD
_, xrefs: 02A5DA6E
ho'>, xrefs: 02A5FB1B
, xrefs: 02A5FB72
\, xrefs: 02A5D71F
-, xrefs: 02A5F9CE
\, xrefs: 02A5E78F
few<, xrefs: 02A5FADF
\, xrefs: 02A5DAFB
\, xrefs: 02A5E952
:S,(, xrefs: 02A5FB25
.., xrefs: 02A5FB2F
\, xrefs: 02A5EC17
_, xrefs: 02A5EB6B

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AttributesErrorFileLastMtx_unlock
String ID: $-$-$..$:S,($\$\$\$\$\$_$_$few<$ho'>$k*17
API String ID: 441747541-4163213437
Opcode ID: 4b009007d9f3a4e52b28ff4e5fa79d6c8ca02b94c015515b53155c987276cea6
Instruction ID: ffeb2f8675fd3ad3f94aef06134878b07c411636c7a0a05cc253250834139729
Opcode Fuzzy Hash: 4b009007d9f3a4e52b28ff4e5fa79d6c8ca02b94c015515b53155c987276cea6
Instruction Fuzzy Hash: 9C43C0709002688FDB29CF28CD887EEBBB5AF05304F1441DDD84AA7692DB759B89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A49480 Relevance: 54.6, APIs: 14, Strings: 14, Instructions: 5600COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,02A49A2E,00000000), ref: 02A4953D
GetLastError.KERNEL32(?,02A49A2E,00000000), ref: 02A49548
__Mtx_unlock.LIBCPMT ref: 02A49571
CreateDirectoryA.KERNELBASE(?,00000000), ref: 02A496B0
CreateDirectoryA.KERNELBASE(?,00000000,?,?,0000005C,?,?,0000005C,?), ref: 02A497C0

Strings

*, xrefs: 02A4BDE2
we, xrefs: 02A4CDAC
, xrefs: 02A4A6B7
pXFn, xrefs: 02A4E13F
{t`t, xrefs: 02A4D3FD
z, xrefs: 02A4F13D
ugdc, xrefs: 02A4E149
n, xrefs: 02A4D411
nmgi, xrefs: 02A4D407
\, xrefs: 02A496C9
jgt`, xrefs: 02A4E15D
:, xrefs: 02A4AB9E
~a[g, xrefs: 02A4E153
\, xrefs: 02A49A44

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLastMtx_unlock
String ID: $*$:$\$\$jgt`$n$nmgi$pXFn$ugdc$we$z${t`t$~a[g
API String ID: 611283054-3053135953
Opcode ID: 26cb5db44c4dbd0a751f77ce265fee895f758c87c8bb38fb45d900c4ba25d9bf
Instruction ID: f9f2d9967217884c5f29d52f808d581ffa498ab4d175e92e3301a77e9fa3353f
Opcode Fuzzy Hash: 26cb5db44c4dbd0a751f77ce265fee895f758c87c8bb38fb45d900c4ba25d9bf
Instruction Fuzzy Hash: B8B3CCB1D002189EDF24DF68C9987EEBBB6AF45304F1482C9C45967281DF719B89CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A3E200 Relevance: 52.5, APIs: 22, Strings: 7, Instructions: 1770COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000033,00A2A384,00000033), ref: 02A3E257
GetFileAttributesA.KERNELBASE(?,?,?,8E84B483,8E84B484), ref: 02A3E379
GetLastError.KERNEL32(?,?,8E84B483,8E84B484), ref: 02A3E386
__Mtx_unlock.LIBCPMT ref: 02A3E3A5
GetFileAttributesA.KERNEL32(?,83859484,?,?,?,8E84B483,8E84B484), ref: 02A3E470
GetLastError.KERNEL32(?,?,?,8E84B483,8E84B484), ref: 02A3E477
__Mtx_unlock.LIBCPMT ref: 02A3E496

Strings

\, xrefs: 02A3F367
., xrefs: 02A3E681
\, xrefs: 02A3EDDA
s, xrefs: 02A3F35A
\, xrefs: 02A3F069
\, xrefs: 02A3F5C8
s, xrefs: 02A3F5BB

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AttributesErrorFileLastMtx_unlock$FolderPath
String ID: .$\$\$\$\$s$s
API String ID: 3673586248-1144724142
Opcode ID: b62174e4c52a65b61504693b30cc42d2faced2b0a081a12828d8c9eff2f62b7e
Instruction ID: 5570648254980d966aaedd3a2347049f4be98786f4f6bb2a28bbbb855c4dab1b
Opcode Fuzzy Hash: b62174e4c52a65b61504693b30cc42d2faced2b0a081a12828d8c9eff2f62b7e
Instruction Fuzzy Hash: 65F2AF70D102598FEB29CF68CD84BEDBBB6AF09304F1482D9E449E7691DB709A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A44387 Relevance: 43.6, APIs: 20, Strings: 4, Instructions: 1609fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02A444AD
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 02A4458A
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 02A447E7
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00000000), ref: 02A448F7

Strings

1, xrefs: 02A44B0B
wkwg, xrefs: 02A44CD3
`m, xrefs: 02A44CDD
l, xrefs: 02A4602C

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CopyCreateDirectoryFile
String ID: 1$`m$l$wkwg
API String ID: 3761107634-2719960592
Opcode ID: 657febb4ae42ef01369b52088c69bf29760d039c3d31526ecd38353fc04e820e
Instruction ID: 4858e114d1d8626cace67b8597123ca05a52d0700cec47ca2f497f371796477a
Opcode Fuzzy Hash: 657febb4ae42ef01369b52088c69bf29760d039c3d31526ecd38353fc04e820e
Instruction Fuzzy Hash: 06F29270C442589ADF25EB60DE98BEEB776AF25304F4440D9C84967281EF745B8CCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A3B3B0 Relevance: 39.8, APIs: 5, Strings: 17, Instructions: 1314COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,02A55F3B), ref: 02A3B4C6
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 02A3B5E5
GetPrivateProfileStringA.KERNEL32(?,8A95818F,00000000,?,00000104,?), ref: 02A3B69A

Strings

FGQ&, xrefs: 02A3BC30
?fsm, xrefs: 02A3BC76
\, xrefs: 02A3B974
/, xrefs: 02A3B867
), xrefs: 02A3BF08
7<tz, xrefs: 02A3BC6C
`}aI, xrefs: 02A3BC58
]wAC, xrefs: 02A3BC8A
gd%;, xrefs: 02A3BFB6
', xrefs: 02A3BFC0
\, xrefs: 02A3B6A3
VFXA, xrefs: 02A3BC9E
wdhi, xrefs: 02A3BC3A
#0g{, xrefs: 02A3BC4E
XXB\, xrefs: 02A3BC94
nSdj, xrefs: 02A3BC44
z`a{, xrefs: 02A3BCEE

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: PrivateProfile$FolderNamesPathSectionString
String ID: #0g{$'$)$/$7<tz$?fsm$FGQ&$VFXA$XXB\$\$\$]wAC$`}aI$gd%;$nSdj$wdhi$z`a{
API String ID: 1539182551-2698631267
Opcode ID: 70999859abfcb53500e897f8e6632255523a40d544996ae336105a65c09d6fb2
Instruction ID: e4448d65851d18b0499734211189efade0683692351fe8762a91fdf54ccaf2df
Opcode Fuzzy Hash: 70999859abfcb53500e897f8e6632255523a40d544996ae336105a65c09d6fb2
Instruction Fuzzy Hash: C9C2C170900258DFDB29CF68CC94BEEBBB6BF05308F1445D9E449AB281DB759A84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A287E0 Relevance: 37.5, APIs: 2, Strings: 18, Instructions: 2469COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 02A288B1

Strings

u}p{, xrefs: 02A297C9
vgJc, xrefs: 02A297B5
JTnD, xrefs: 02A297FB
1, xrefs: 02A29DE1
OQ@, xrefs: 02A297DD
cannot use operator[] with a string argument with , xrefs: 02A2AC2D, 02A2AC65, 02A2ACFD
P, xrefs: 02A2AD14
P+(', xrefs: 02A29823
c{5:, xrefs: 02A297BF
YU]Z, xrefs: 02A297F1
bk|x, xrefs: 02A29797
RX@S, xrefs: 02A29805
0, xrefs: 02A2982D
jwZu, xrefs: 02A2978D
w`x`, xrefs: 02A297AB
n -k, xrefs: 02A297A1
1, xrefs: 02A29A01
3, xrefs: 02A297D3

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: FolderPath
String ID: 0$1$1$3$JTnD$OQ@$P$P+('$RX@S$YU]Z$bk|x$cannot use operator[] with a string argument with $c{5:$jwZu$n -k$u}p{$vgJc$w`x`
API String ID: 1514166925-2794068133
Opcode ID: 2e3202cdafb962e6c52ae374a417305f60bfd76aac547e64c5dff19b389b7c1c
Instruction ID: 55b34e2a4ef3fe55eb5c1ae01a39a5a47f353a891d27b28aab5a5efdcde7d2f0
Opcode Fuzzy Hash: 2e3202cdafb962e6c52ae374a417305f60bfd76aac547e64c5dff19b389b7c1c
Instruction Fuzzy Hash: 5C339D70D00269CFDB25DF68C998BEEBBB5AF14304F1441D9D849A7281EF749A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A3B5F9 Relevance: 36.1, APIs: 3, Strings: 17, Instructions: 1086COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(?,8A95818F,00000000,?,00000104,?), ref: 02A3B69A

Strings

FGQ&, xrefs: 02A3BC30
?fsm, xrefs: 02A3BC76
\, xrefs: 02A3B974
/, xrefs: 02A3B867
), xrefs: 02A3BF08
7<tz, xrefs: 02A3BC6C
`}aI, xrefs: 02A3BC58
]wAC, xrefs: 02A3BC8A
gd%;, xrefs: 02A3BFB6
', xrefs: 02A3BFC0
\, xrefs: 02A3B6A3
VFXA, xrefs: 02A3BC9E
wdhi, xrefs: 02A3BC3A
#0g{, xrefs: 02A3BC4E
XXB\, xrefs: 02A3BC94
nSdj, xrefs: 02A3BC44
z`a{, xrefs: 02A3BCEE

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: PrivateProfileString
String ID: #0g{$'$)$/$7<tz$?fsm$FGQ&$VFXA$XXB\$\$\$]wAC$`}aI$gd%;$nSdj$wdhi$z`a{
API String ID: 1096422788-2698631267
Opcode ID: bf6ae0ee46b1d27296fa89889e75e627263f8f73a9e1af07f146a4776552b224
Instruction ID: a1cef66ecef832565c6cee5b3512b94819e3333f3635fbfaff506dc194abb828
Opcode Fuzzy Hash: bf6ae0ee46b1d27296fa89889e75e627263f8f73a9e1af07f146a4776552b224
Instruction Fuzzy Hash: 95A2B070904258DFDB29CF28CD94BEEBBB6BF05308F1445D9E449AB281DB719A84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A28069 Relevance: 34.5, Strings: 26, Instructions: 1993COMMON

Download Yara Rule

Strings

+(ek, xrefs: 02A27D31
O, xrefs: 02A26C77
^X]O, xrefs: 02A26C6D
jxda, xrefs: 02A26C27
xxRh, xrefs: 02A27D3B
Drhs, xrefs: 02A26C4F
"/& , xrefs: 02A26CC7
WG, xrefs: 02A27D9F
3, xrefs: 02A28611
zadt, xrefs: 02A27D27
BWNC, xrefs: 02A27D77
.=4r, xrefs: 02A26CD1
rf96, xrefs: 02A26C3B
pSP@, xrefs: 02A27D95
~<[L, xrefs: 02A27D63
aOhw, xrefs: 02A26C31
3z|u, xrefs: 02A27D4F
NHDZ, xrefs: 02A27D8B
k(%c, xrefs: 02A26C13
`ec>, xrefs: 02A27D45
FJFT, xrefs: 02A26C63
]YV[, xrefs: 02A26C81
tyk~, xrefs: 02A26C45
|vxw, xrefs: 02A27D59
CwJX, xrefs: 02A27D81
}ES}, xrefs: 02A26C59

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "/& $+(ek$.=4r$3$3z|u$BWNC$CwJX$Drhs$FJFT$NHDZ$O$WG$]YV[$^X]O$`ec>$aOhw$jxda$k(%c$pSP@$rf96$tyk~$xxRh$zadt$|vxw$}ES}$~<[L
API String ID: 0-424170321
Opcode ID: 9b3a21257c8aa2f6c1e8859dd5c22ed511b6de96f22639c78a327f772490cb22
Instruction ID: 64d60c7bc56255b419521e6eb794aaa34b9191f0e6b07260f367c3587b924c9b
Opcode Fuzzy Hash: 9b3a21257c8aa2f6c1e8859dd5c22ed511b6de96f22639c78a327f772490cb22
Instruction Fuzzy Hash: 2B13AA70D05268CFDB25DF68C9987EEBBB5AF14304F1441E9C849A7281EB749B88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B029 Relevance: 30.9, APIs: 1, Strings: 16, Instructions: 1107COMMON

Download Yara Rule

Strings

o95r, xrefs: 02A2BB03
yhh|, xrefs: 02A2BAA9
\, xrefs: 02A2B783
%, xrefs: 02A2C09C
\, xrefs: 02A2B6E3
+`l}, xrefs: 02A2BA59
{Og{, xrefs: 02A2BA63
?fsm, xrefs: 02A2BA8B
K[e, xrefs: 02A2BA9F
7<tz, xrefs: 02A2BA81
rze&, xrefs: 02A2BA4F
`}aI, xrefs: 02A2BA6D
wupw, xrefs: 02A2BAD1
k`sw, xrefs: 02A2BADB
FGQ&, xrefs: 02A2BA45
stlf, xrefs: 02A2BAE5

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %$+`l}$7<tz$?fsm$FGQ&$K[e$\$\$`}aI$k`sw$o95r$rze&$stlf$wupw$yhh|${Og{
API String ID: 0-291594044
Opcode ID: d0fb74eecde67f29226b15cf3293a43c7d94bb11ce35c32aa292ad6470403b32
Instruction ID: 5125a0631e1a5d4535a72567ba82641b8a7a43365608e988a3ab86376d72c0bc
Opcode Fuzzy Hash: d0fb74eecde67f29226b15cf3293a43c7d94bb11ce35c32aa292ad6470403b32
Instruction Fuzzy Hash: 86A2A571D002688FDB29CF68CD947EDFBB2AF45308F148599D449AB381DB349A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A357D0 Relevance: 29.9, APIs: 6, Strings: 10, Instructions: 1946stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 02A3588D
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,00000000), ref: 02A3592E
GetPrivateProfileStringA.KERNEL32(?,8A95818F,00000000,?,00000104,?), ref: 02A359DC
lstrlenA.KERNEL32(?), ref: 02A374FA

Strings

hzm&, xrefs: 02A35CE5
ET9\, xrefs: 02A35D0D
OKBO, xrefs: 02A35D2B
+jb|, xrefs: 02A35CEF
bCdp, xrefs: 02A35CF9
ISP>, xrefs: 02A35D17
bwvq, xrefs: 02A35CDB
~}aC, xrefs: 02A35D03
cannot use operator[] with a string argument with , xrefs: 02A3768D
rO[}, xrefs: 02A35D21

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
String ID: +jb|$ET9\$ISP>$OKBO$bCdp$bwvq$cannot use operator[] with a string argument with $hzm&$rO[}$~}aC
API String ID: 1311570089-3620833884
Opcode ID: 39476980edfe64503d0deb5012a7c0fa631adfb7c7863db0b5f12016115dd3fc
Instruction ID: a1545dc9e2d9eb6154cfe7c3e855268bc552c3e685812a8e5e869c27bb01f4ab
Opcode Fuzzy Hash: 39476980edfe64503d0deb5012a7c0fa631adfb7c7863db0b5f12016115dd3fc
Instruction Fuzzy Hash: 2F03CEB0D402588BDB2ADF64CD98BEEBBB6AF15304F0441D9D409A7281EF745B88CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02A2C3B0 Relevance: 27.1, APIs: 1, Strings: 13, Instructions: 2614COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 02A2C48A

Strings

\, xrefs: 02A2D3B8
n~{g, xrefs: 02A2DFDB
\, xrefs: 02A2CFD0
\, xrefs: 02A2D03B
\, xrefs: 02A2DC59
cannot use operator[] with a string argument with , xrefs: 02A2E94F
bfVy, xrefs: 02A2DFD1
\, xrefs: 02A2D663
#pjm, xrefs: 02A2DFC7
A, xrefs: 02A2E96C
\, xrefs: 02A2DBF2
lu, xrefs: 02A2DFE5
\, xrefs: 02A2D5E5

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: FolderPath
String ID: #pjm$A$\$\$\$\$\$\$\$bfVy$cannot use operator[] with a string argument with $lu$n~{g
API String ID: 1514166925-2210393922
Opcode ID: e88960063eeee01204425a03d1d9f40e3bce6c1a8d1740d399023488ff1a696d
Instruction ID: beef63fcbdfd7005eddef9d5c8fd459cedb5c3143c392ca05a6422d07df1327d
Opcode Fuzzy Hash: e88960063eeee01204425a03d1d9f40e3bce6c1a8d1740d399023488ff1a696d
Instruction Fuzzy Hash: 0A338F71D002688FDB28DF68C9847EEBBB6EF05304F1481DDD449A7291DB74AA89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A41150 Relevance: 25.5, APIs: 13, Strings: 1, Instructions: 963
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,02B35420,00000000), ref: 02A4123F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02A4127A
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 02A412A5
RegQueryValueExA.ADVAPI32(?,8B808D9A,00000000,00000001,?,00000104), ref: 02A413A5
RegQueryValueExA.ADVAPI32(?,B2A0AD96,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 02A414EF
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 02A41540
RegQueryValueExA.ADVAPI32(?,B2A0AD96,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A415EC
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A41647
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A416A2
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A416F9
RegCloseKey.ADVAPI32(?), ref: 02A41F7D
RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 02A41FAC
RegCloseKey.ADVAPI32(?), ref: 02A41FC0

Strings

cannot use operator[] with a string argument with , xrefs: 02A4201B

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: QueryValue$CloseEnumOpen
String ID: cannot use operator[] with a string argument with
API String ID: 2041898428-2766135566
Opcode ID: 9010a1a79b65d2d7e5d89a985878e2ff99a7425f5bc18e80a32690ee890c3d5f
Instruction ID: d0668a0fb1a6516c89caf18b7b80f02d2c76b34c1266209343da7ac7d2b4075a
Opcode Fuzzy Hash: 9010a1a79b65d2d7e5d89a985878e2ff99a7425f5bc18e80a32690ee890c3d5f
Instruction Fuzzy Hash: 409288B0800258DEDB25DF64CD94BEEBBB9AF19304F1041DAD449A7281EF755B88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A6B0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\*.*, xrefs: 02A0A747

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: \*.*
API String ID: 0-1173974218
Opcode ID: 3fc21191a5858b859e94a2baecfabb1c0019c00fed862f5ddd2ff70d78c34ca6
Instruction ID: 750f5eeb6380906ffadf0f8331284eaef2e827d6d0448674128434e4005da636
Opcode Fuzzy Hash: 3fc21191a5858b859e94a2baecfabb1c0019c00fed862f5ddd2ff70d78c34ca6
Instruction Fuzzy Hash: 8DA18D70E002099FDB28DFA8D9D4BAEBBB6FF08314F144519E116E72C2DB709985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A37710 Relevance: 20.5, APIs: 4, Strings: 7, Instructions: 1285COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,02A55CA7), ref: 02A37826
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 02A37963
GetPrivateProfileStringA.KERNEL32(?,8A95818F,00000000,?,00000104,?), ref: 02A37A1A

Strings

\, xrefs: 02A37CDA
\, xrefs: 02A37A23
nllu, xrefs: 02A38002
sg{s0, xrefs: 02A384DB, 02A38505
/, xrefs: 02A37BCD
, xrefs: 02A382C4
cannot use operator[] with a string argument with , xrefs: 02A3888A, 02A388E2

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: PrivateProfile$FolderNamesPathSectionString
String ID: $/$\$\$cannot use operator[] with a string argument with $nllu$sg{s0
API String ID: 1539182551-113793748
Opcode ID: 8e5c8bfd1128964cdfda16278cf881c9d909726baa36cfed7256a2e674c22b36
Instruction ID: 6c25356893c3b2604aeeebc1e11eedc43aa2b6bff10af38e49df6fb2d92a4f95
Opcode Fuzzy Hash: 8e5c8bfd1128964cdfda16278cf881c9d909726baa36cfed7256a2e674c22b36
Instruction Fuzzy Hash: D9C2A170900258DFDB29CF64CD84BEDBBB5AF05304F1441EDE449AB281EB759A88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A41208 Relevance: 20.3, APIs: 13, Instructions: 808
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,02B35420,00000000), ref: 02A4123F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02A4127A
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 02A412A5
RegQueryValueExA.ADVAPI32(?,8B808D9A,00000000,00000001,?,00000104), ref: 02A413A5
RegQueryValueExA.ADVAPI32(?,B2A0AD96,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 02A414EF
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 02A41540
RegQueryValueExA.ADVAPI32(?,B2A0AD96,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A415EC
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A41647
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A416A2
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 02A416F9
RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 02A41FAC
RegCloseKey.ADVAPI32(?), ref: 02A41FC0

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: QueryValue$EnumOpen$Close
String ID:
API String ID: 2931576859-0
Opcode ID: aa072dc2ce34a842a3c977ea8b5ae53960a6ddff3dd403fed37af6d2b6e335d4
Instruction ID: fac4c7b9eec51d6d56b31306873e2352546ba8abc57ab62b7055663b545b5a17
Opcode Fuzzy Hash: aa072dc2ce34a842a3c977ea8b5ae53960a6ddff3dd403fed37af6d2b6e335d4
Instruction Fuzzy Hash: 898269B0C002589EDB25CF64CD94BEEBBB9AF19304F1041DAD54DA7281EB755B88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A3C720 Relevance: 13.7, APIs: 9, Instructions: 170libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(8E9481A9,?), ref: 02A3C766
GetProcAddress.KERNEL32(00000000,8E948189), ref: 02A3C7C1
GetProcAddress.KERNEL32(8E948189), ref: 02A3C80E
GetProcAddress.KERNEL32(8E948189), ref: 02A3C84B
GetProcAddress.KERNEL32(8E948189), ref: 02A3C88B
GetProcAddress.KERNEL32(8E948189), ref: 02A3C8CF
GetProcAddress.KERNEL32(8E948189), ref: 02A3C90E
GetProcAddress.KERNEL32(8E948189), ref: 02A3C94D
FreeLibrary.KERNEL32 ref: 02A3C9A2

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: 50109a3da9ab346bfead3beeddec2b8f8b8749861ec17641a88e0d7ffb721524
Instruction ID: d89aa8d2e2b719eeee7f4e7d4f45c101c3ff2a4e70c97a8d608e4a0b78c93ba4
Opcode Fuzzy Hash: 50109a3da9ab346bfead3beeddec2b8f8b8749861ec17641a88e0d7ffb721524
Instruction Fuzzy Hash: 3B71DE70C54288EADB16CFA4E844BDDBFF5EF09348F50849FE401AB241E7B64259CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A5D628 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 451COMMON

Download Yara Rule

Strings

\, xrefs: 02A5D71F

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: bcddcd7dae99f47fc6576ace8473ef40d1892b831e1115b3e85459d7a7dbc102
Instruction ID: 6341fd3cbd46bacdbdfe5e4801f3da081ce239cc841bcd2f46f457fa50c07521
Opcode Fuzzy Hash: bcddcd7dae99f47fc6576ace8473ef40d1892b831e1115b3e85459d7a7dbc102
Instruction Fuzzy Hash: A40201708042688FDB29CF68C9987EEBBB5AF15308F1441E9D80AA7241DF759B89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E048 Relevance: 12.7, Strings: 9, Instructions: 1446COMMON

Download Yara Rule

Strings

\, xrefs: 02A2D3B8
n~{g, xrefs: 02A2DFDB
%, xrefs: 02A2E6DD
#pjm, xrefs: 02A2DFC7
\, xrefs: 02A2D03B
\, xrefs: 02A2DC59
lu, xrefs: 02A2DFE5
\, xrefs: 02A2D663
bfVy, xrefs: 02A2DFD1

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #pjm$%$\$\$\$\$bfVy$lu$n~{g
API String ID: 0-3135257148
Opcode ID: 02993383a8e9881e477d7add9e469eaeba8a8107ce174b21e4c7999ce28cb53b
Instruction ID: c91507f5adde21016c7908c72d98c331dbf611ad3a9eb33a444a70ba3790345d
Opcode Fuzzy Hash: 02993383a8e9881e477d7add9e469eaeba8a8107ce174b21e4c7999ce28cb53b
Instruction Fuzzy Hash: EBD29070D002688FDB29CF68CD987EEBBB5AF05304F1482DDD449A7292DB746A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E169 Relevance: 12.7, Strings: 9, Instructions: 1445COMMON

Download Yara Rule

Strings

\, xrefs: 02A2D3B8
n~{g, xrefs: 02A2DFDB
%, xrefs: 02A2E6DD
#pjm, xrefs: 02A2DFC7
\, xrefs: 02A2D03B
\, xrefs: 02A2DC59
lu, xrefs: 02A2DFE5
\, xrefs: 02A2D663
bfVy, xrefs: 02A2DFD1

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #pjm$%$\$\$\$\$bfVy$lu$n~{g
API String ID: 0-3135257148
Opcode ID: 948e2dfce3397d9400b4ad342740490daf883c8277feac38f2129c51f23756ae
Instruction ID: f1a8ebdbaf9225d7d090a307362070a72252d0a5ca4b64fbf178ca16c47cd9ca
Opcode Fuzzy Hash: 948e2dfce3397d9400b4ad342740490daf883c8277feac38f2129c51f23756ae
Instruction Fuzzy Hash: 3DD29070D002688FDB29CF68CD987EEBBB5AF05304F1482DDD449A7292DB746A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A24A10 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1442COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,8C968FBB), ref: 02A24B5C

Strings

\, xrefs: 02A253B9
, xrefs: 02A25A96
mhjg, xrefs: 02A256D5
c{, xrefs: 02A256DF
\, xrefs: 02A25441

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: FolderPath
String ID: $\$\$c{$mhjg
API String ID: 1514166925-1455636313
Opcode ID: c86b812e61bf10497ea6dc32952577677e84cd85217b14ba1f450e7ba4e8e32f
Instruction ID: 9ef82f033b1adb7423d7ee79b6953e7578577e98959c3217be3ab4523cb773b3
Opcode Fuzzy Hash: c86b812e61bf10497ea6dc32952577677e84cd85217b14ba1f450e7ba4e8e32f
Instruction Fuzzy Hash: D7D2C171D002688FDB28CF68C9947EDBBB2BF45304F54819DD459AB781DB709A89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A561A0 Relevance: 11.5, Strings: 8, Instructions: 1548COMMON

Download Yara Rule

Strings

pg{n, xrefs: 02A56F5F
1,(}, xrefs: 02A57886
Pjm, xrefs: 02A57AC2
Sevu, xrefs: 02A56F55
1,(}, xrefs: 02A56F69
Sevu, xrefs: 02A57878
/, xrefs: 02A57B1D
bf3*, xrefs: 02A57AC9

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Pjm$/$1,(}$1,(}$Sevu$Sevu$bf3*$pg{n
API String ID: 0-776177215
Opcode ID: 1ec11515b9378ac5a25b2f3fecb5207fc4e0a3c024a3310c85ab0712a1cc7beb
Instruction ID: a4b7b5a75b891d50ee763bf3f40587bb8d8772476bcdf7622ec480ace08b2784
Opcode Fuzzy Hash: 1ec11515b9378ac5a25b2f3fecb5207fc4e0a3c024a3310c85ab0712a1cc7beb
Instruction Fuzzy Hash: 09E25F70D402689ADF25EBA0DD98BEDBB7AAF14304F4040D9D84A77281EF745B89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A641C3 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 470threadsynchronizationCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(45 hgfch rtdyt gfch,?,?,?), ref: 02A6478F
CreateThread.KERNELBASE(00000000,00000000,Function_000509A0,00000000,00000000,00000000), ref: 02A647BA
CreateThread.KERNELBASE(00000000,00000000,Function_00055B20,00000000,00000000,00000000), ref: 02A647D0

Part of subcall function 02A3C720: LoadLibraryA.KERNELBASE(8E9481A9,?), ref: 02A3C766
Part of subcall function 02A3C720: GetProcAddress.KERNEL32(00000000,8E948189), ref: 02A3C7C1
Part of subcall function 02A3C720: GetProcAddress.KERNEL32(8E948189), ref: 02A3C80E
Part of subcall function 02A3C720: GetProcAddress.KERNEL32(8E948189), ref: 02A3C84B
Part of subcall function 02A3C720: GetProcAddress.KERNEL32(8E948189), ref: 02A3C88B

FreeLibrary.KERNELBASE(6CFB0000,?,?,?,?,?,?), ref: 02A6488D
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 02A6494C

Strings

45 hgfch rtdyt gfch, xrefs: 02A6478A

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AddressProc$CreateLibraryThread$DebugFreeLoadObjectOutputSingleStringWait
String ID: 45 hgfch rtdyt gfch
API String ID: 2649782214-2270278793
Opcode ID: 385d1ea5193128cc873e52f42b23f80570f0bb6c1cc619d0ef44056741adac2d
Instruction ID: 7b1f45e46cdb3e4d411f53253f0b232b34a1b3fe2bb45ead76cdf2a7871f9bae
Opcode Fuzzy Hash: 385d1ea5193128cc873e52f42b23f80570f0bb6c1cc619d0ef44056741adac2d
Instruction Fuzzy Hash: E1225A759402288BDF25EF60DD98BEDB77AAF58304F0001D9D44A67290EF306B89CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A64405 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 346threadsynchronizationCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(45 hgfch rtdyt gfch,?,?,?), ref: 02A6478F
CreateThread.KERNELBASE(00000000,00000000,Function_000509A0,00000000,00000000,00000000), ref: 02A647BA
CreateThread.KERNELBASE(00000000,00000000,Function_00055B20,00000000,00000000,00000000), ref: 02A647D0
FreeLibrary.KERNELBASE(6CFB0000,?,?,?,?,?,?), ref: 02A6488D
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 02A6494C

Strings

45 hgfch rtdyt gfch, xrefs: 02A6478A

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CreateThread$DebugFreeLibraryObjectOutputSingleStringWait
String ID: 45 hgfch rtdyt gfch
API String ID: 3253439392-2270278793
Opcode ID: 817d6128416651461b3970ec06840ef483eb2f9e200521d7d753672b88534311
Instruction ID: c0699745a5e5fbf3f9e1455999a88f0ab040acd66bab43cdf49eb12faa78a63e
Opcode Fuzzy Hash: 817d6128416651461b3970ec06840ef483eb2f9e200521d7d753672b88534311
Instruction Fuzzy Hash: 11E16A719802288BDF25EF60DD98BEDB77AAF54344F0041D9D44A67290EF306B89CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A23270 Relevance: 10.5, APIs: 1, Strings: 4, Instructions: 1726COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,8D9595BE), ref: 02A23393

Strings

\, xrefs: 02A23D2D
&, xrefs: 02A24958
\, xrefs: 02A23CA5
cannot use operator[] with a string argument with , xrefs: 02A2493B, 02A24993

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: FolderPath
String ID: &$\$\$cannot use operator[] with a string argument with
API String ID: 1514166925-52429261
Opcode ID: 50b02ac0c55b192c67da80718f023bc2d22f646d1d7dbb58c662722a936fbcee
Instruction ID: 2d7322b4033c181f0c1efecbb72367464b8e01634838c04fe2a66b15c48dd482
Opcode Fuzzy Hash: 50b02ac0c55b192c67da80718f023bc2d22f646d1d7dbb58c662722a936fbcee
Instruction Fuzzy Hash: 62E29071D002688FDF29CF68C9947EDBBB6AF09304F1481D9D449AB281DB749A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C000 Relevance: 8.8, Strings: 6, Instructions: 1274COMMON

Download Yara Rule

Strings

102.165.48.43, xrefs: 02A1C8FB
https://www.maxmind.com/en/locate-my-ip-address, xrefs: 02A1D1EA
102.165.48.43, xrefs: 02A1DDC3, 02A1DE11
https://ipinfo.io/, xrefs: 02A1CA1C
C, xrefs: 02A1DEC4
Content-Type: application/x-www-form-urlencoded, xrefs: 02A1C111, 02A1C39F, 02A1CD02

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AddressConcurrency::cancel_current_taskHandleModuleProc
String ID: 102.165.48.43$102.165.48.43$C$Content-Type: application/x-www-form-urlencoded$https://ipinfo.io/$https://www.maxmind.com/en/locate-my-ip-address
API String ID: 2385143733-1064276941
Opcode ID: 0f6a5654815b3b8955b39fdb634eba82f8ba8b92441d97a85a54f93c1d6b5817
Instruction ID: 59a957c1b0c758e016e56c97099a594336304b8b9f3a950cc6208809843ed190
Opcode Fuzzy Hash: 0f6a5654815b3b8955b39fdb634eba82f8ba8b92441d97a85a54f93c1d6b5817
Instruction Fuzzy Hash: BCC27E70944268DADF25EB64CD98BEDBBBAAF14304F0400D9D54977280EF741B89CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 02A62460 Relevance: 7.7, APIs: 5, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 02A62473
GetCursorPos.USER32(?), ref: 02A62479
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,02A627D6), ref: 02A62528
GetCursorPos.USER32(?), ref: 02A6252E
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,02A627D6), ref: 02A625DA

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Cursor$Sleep
String ID:
API String ID: 1847515627-0
Opcode ID: 42681c3bc99496ca9676d9c9de64f952ee6e99d999f8a8b8b6ab83713f5aba98
Instruction ID: cc1e986057f01bab9ecf93c88d5e7966fd4c4490e061d626ba7f25007c1aec39
Opcode Fuzzy Hash: 42681c3bc99496ca9676d9c9de64f952ee6e99d999f8a8b8b6ab83713f5aba98
Instruction Fuzzy Hash: C451CC35A402158FCB24CF58C8E8FB9B3B1FF88708B198099D945AB351DB35E905CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02ACC4A0 Relevance: 7.0, Strings: 4, Instructions: 2001COMMON

Download Yara Rule

Strings

too many terms in compound SELECT, xrefs: 02ACC73F
max, xrefs: 02ACDE1E
only a single result allowed for a SELECT that is part of an expression, xrefs: 02ACC785
min, xrefs: 02ACDDAD

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: max$min$only a single result allowed for a SELECT that is part of an expression$too many terms in compound SELECT
API String ID: 0-2877691265
Opcode ID: 46fec27825c19a7bd3f68a17f3686951004cbb12658a3c6ec6929c16df787bfd
Instruction ID: 46d09a12eac6af4d89712ac04a49f7c3f0573c0b4bc6202236154cb7e68aa92b
Opcode Fuzzy Hash: 46fec27825c19a7bd3f68a17f3686951004cbb12658a3c6ec6929c16df787bfd
Instruction Fuzzy Hash: 552326706047418FC724DF28C190B2ABBE2FF89314F15896DE99A8B352DB75E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02A23A68 Relevance: 4.7, Strings: 3, Instructions: 922COMMON

Download Yara Rule

Strings

\, xrefs: 02A23D2D
\, xrefs: 02A23CA5
!, xrefs: 02A246D6

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !$\$\
API String ID: 0-3812680301
Opcode ID: f28d8819bf140d7093bba4b27c0b2d6994521b1c60a26ff9ea6082a0663ba887
Instruction ID: 502e4d3ea9ebc6a6b8ea4784e54342da7e7bfa13f7a842f92788f72982868643
Opcode Fuzzy Hash: f28d8819bf140d7093bba4b27c0b2d6994521b1c60a26ff9ea6082a0663ba887
Instruction Fuzzy Hash: 4B828E70900268CFEF29CF68C9947EDBBB1AF19304F1481DDD449AB281DB759A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02ADC3BA Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,02A760C8,?,00000000), ref: 02ADC3C6
FindFirstFileExW.KERNELBASE(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,02A760C8,?,00000000), ref: 02ADC3F5
GetLastError.KERNEL32(?,02A760C8,?,00000000), ref: 02ADC407

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: f95964b93d9b899159b6b4b47387ea4dbedc9101222a674fb0764c1d69dacd44
Instruction ID: e61baa9fda4b9afad77a524d4febe8bb36b43110a88dca3ec42dc0d3d7953c88
Opcode Fuzzy Hash: f95964b93d9b899159b6b4b47387ea4dbedc9101222a674fb0764c1d69dacd44
Instruction Fuzzy Hash: CBF0B471080109BFDB111FA4EC4897A7B5FEB143B0B504922FD1A814A0DB31D862DA64

Uniqueness

Uniqueness Score: -1.00%

Function 02A31110 Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 982COMMON

Download Yara Rule

APIs

Part of subcall function 02A829B0: GetModuleHandleA.KERNEL32(AAAFA988,Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36,0000006F,00000000,00000000,?,?,?,?,?,?,?,?,00000000,02B0BA0C,000000FF), ref: 02A82AB5
Part of subcall function 02A829B0: GetProcAddress.KERNEL32(00000000,AA8F8988), ref: 02A82AFC

std::locale::_Init.LIBCPMT ref: 02A317AB

Strings

authorization: , xrefs: 02A31204

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AddressHandleInitModuleProcstd::locale::_
String ID: authorization:
API String ID: 2315660321-4237435816
Opcode ID: d0606e9f4e61091f90d95e5e3d924c07c371c34f1131786d740daa00c7b4ff92
Instruction ID: bd8390a3b7e7a6905a573c79f2b39d28b7b38a363161c8b205cbea719f2688c2
Opcode Fuzzy Hash: d0606e9f4e61091f90d95e5e3d924c07c371c34f1131786d740daa00c7b4ff92
Instruction Fuzzy Hash: 5B82B171D002488FDB19DFA8C9887EEBBB6BF09304F14419DE44AAB781DB749A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A20380 Relevance: 3.1, APIs: 2, Instructions: 123encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,02A4183B), ref: 02A20495
LocalFree.KERNEL32(?,00000000), ref: 02A204C4

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 5c94ef291ac1f4b38a392bf09ed8001babd1944572f95a737335d29222535cc9
Instruction ID: fd2872ec9b51947048e4c6448c8c48129bce2f1eb3312175b9d93fdb28ad8e9f
Opcode Fuzzy Hash: 5c94ef291ac1f4b38a392bf09ed8001babd1944572f95a737335d29222535cc9
Instruction Fuzzy Hash: 8E3168329006204FE73C8B6CDD8876FB7A6EF11314F048A6DE48697E81DB34A9894BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02A596F9 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

", xrefs: 02A59CE5

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: af0572300db005428b0cb64674ad6b8752fbbc53c224f1d0d8a294e4da192d5f
Instruction ID: c2e76ec687563e9145644161519b6ce2da3759499ab586f37753b5f17d34361a
Opcode Fuzzy Hash: af0572300db005428b0cb64674ad6b8752fbbc53c224f1d0d8a294e4da192d5f
Instruction Fuzzy Hash: 6C127DB0904268CEDB69CB28CC987DEBBB5AF55304F1441EDC54EA7242DB341AC5CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 02A1F5F0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 02A1F6E1

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 4160dec7efadafc20987e4564db61d771c60f4deda4845375c29347c012cfaeb
Instruction ID: ab1c37549ef37c671a33326d3bc7be5f3375cf75551d692fa2c9eb613a083b3d
Opcode Fuzzy Hash: 4160dec7efadafc20987e4564db61d771c60f4deda4845375c29347c012cfaeb
Instruction Fuzzy Hash: 3E416A719001889FDF08DF68CD84BFE7B6AEF05320F10825CE816E7A90DF3096498BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AEA58E Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 02AEA712

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 7283ae75dac4470c97ea88c9d7027bf6a9a6095baf6011560a1c04ac0acd6412
Instruction ID: 61e500b307a028179dec44f61c1c2d863c3337d1cee8dd2e7f5a434803c32c36
Opcode Fuzzy Hash: 7283ae75dac4470c97ea88c9d7027bf6a9a6095baf6011560a1c04ac0acd6412
Instruction Fuzzy Hash: 9EB1C3B59006068BCF24CF68C5E56BEBBB6AF05308F144619D463D7792DF309A43CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A331C6 Relevance: .9, Instructions: 937COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c228caf2b453b4befd0a688ad199cc352f6de812f939187fe4a6cb46fd7d8ca
Instruction ID: f7bdf5168de824bad693a78df91ed5a6e04594dd10ebe594f8b49e83d7672cca
Opcode Fuzzy Hash: 6c228caf2b453b4befd0a688ad199cc352f6de812f939187fe4a6cb46fd7d8ca
Instruction Fuzzy Hash: 4C82AC71D042588FDF1ACF68CD987EDBBB2AF45304F1482D9E449AB292DB705A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A8D5A0 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54930d3bcabcc7dbf0ed4e08a0d8295aef3d58c2e4fcaaf39135af7e966691e9
Instruction ID: 8aa7d6fb354bbf3655d4dafb090826c99fdbee6645a9cd5c3d63007fae89673d
Opcode Fuzzy Hash: 54930d3bcabcc7dbf0ed4e08a0d8295aef3d58c2e4fcaaf39135af7e966691e9
Instruction Fuzzy Hash: 0F42BE71A10B498ADB24EF79C8807ADFBB1EF41210F1486ACD4A5D77C1DB74E54ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A8E240 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c72a6b2b269a250812854598287c22e396fe59c4b44ff40d7d00dd49f0ad9a
Instruction ID: 449624a7cb10593e36a421c5e1fc8a4ff3d7b52d7c5495809574b94ea6c41ba3
Opcode Fuzzy Hash: 94c72a6b2b269a250812854598287c22e396fe59c4b44ff40d7d00dd49f0ad9a
Instruction Fuzzy Hash: 4CB1B271604701DFD720EF64C980A5BB7E5EF88314F044E2DF9AA83650EB74E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02A8D340 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
Instruction ID: 2e6cf08e0ce5b734dc7e986f85c85bce631385a787c75a55414695087787785f
Opcode Fuzzy Hash: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
Instruction Fuzzy Hash: 81316F71600B058FC365CFB9C8817A3B7E5FB49214F150A6ED6EAC7280C7B4B985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B528 Relevance: 30.6, APIs: 1, Strings: 16, Instructions: 848COMMON

Download Yara Rule

Strings

o95r, xrefs: 02A2BB03
yhh|, xrefs: 02A2BAA9
\, xrefs: 02A2B783
%, xrefs: 02A2C09C
\, xrefs: 02A2B6E3
+`l}, xrefs: 02A2BA59
{Og{, xrefs: 02A2BA63
?fsm, xrefs: 02A2BA8B
K[e, xrefs: 02A2BA9F
7<tz, xrefs: 02A2BA81
rze&, xrefs: 02A2BA4F
`}aI, xrefs: 02A2BA6D
wupw, xrefs: 02A2BAD1
k`sw, xrefs: 02A2BADB
FGQ&, xrefs: 02A2BA45
stlf, xrefs: 02A2BAE5

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %$+`l}$7<tz$?fsm$FGQ&$K[e$\$\$`}aI$k`sw$o95r$rze&$stlf$wupw$yhh|${Og{
API String ID: 0-291594044
Opcode ID: 0835f4373b4307aeb3a1bb3be607099e224e7bcbb06201a58e589604340ae1d2
Instruction ID: 75b6e6712efbb2fc615110b8dc63c621fa8db5d3d798ed844a23d768729a97b1
Opcode Fuzzy Hash: 0835f4373b4307aeb3a1bb3be607099e224e7bcbb06201a58e589604340ae1d2
Instruction Fuzzy Hash: 7F82A170D00268CFDB29CF68CD947EDBBB2AF45308F1445D9D449AB281DB749A89CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A77A9B Relevance: 28.7, APIs: 10, Strings: 6, Instructions: 697
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 02A78183
___std_exception_destroy.LIBVCRUNTIME ref: 02A7819C
___std_exception_destroy.LIBVCRUNTIME ref: 02A78DA4
___std_exception_destroy.LIBVCRUNTIME ref: 02A78DBD

Strings

object key, xrefs: 02A78A17
object separator, xrefs: 02A7826A
array, xrefs: 02A780B1
value, xrefs: 02A78CD1
object, xrefs: 02A788C4
$, xrefs: 02A78A8F

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: $$array$object$object key$object separator$value
API String ID: 4194217158-1912492727
Opcode ID: 5b9ca06b5726e97ef985bfe410df878b225cb979fc3247734d4c4432f8410e5a
Instruction ID: 1321df96d4a56c9d4647b288f2c4767279c11c0cd5563cc07e18c2e4e9014330
Opcode Fuzzy Hash: 5b9ca06b5726e97ef985bfe410df878b225cb979fc3247734d4c4432f8410e5a
Instruction Fuzzy Hash: C252E671D00248CFDB18DFA4CD887EEBBB6AF09304F144599D44AAB781DB789A84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02A0C0F0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegGetValueA.KERNELBASE(80000002,9692998C,838C8F9B,0001FFFF,00000001,?,00000104), ref: 02A0C212
GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 02A0C27C
LsaOpenPolicy.ADVAPI32(00000000,02B336CC,00000001,00000000), ref: 02A0C2D5

Strings

}c, xrefs: 02A0C1D8
%wZ, xrefs: 02A0C305
Wi{k, xrefs: 02A0C1CA
smuZ, xrefs: 02A0C1C3
fiyk, xrefs: 02A0C1D1

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ComputerNameOpenPolicyValue
String ID: %wZ$Wi{k$fiyk$smuZ$}c
API String ID: 642710655-776724527
Opcode ID: 4b3e42d62add1c169b43e61f87aae2867c07ee7186546d11b25f3da125299ef4
Instruction ID: 67de5d2f74e96466ac364a3b6f323ffd9b04c3aec0c48b1e41395fd15c1737d6
Opcode Fuzzy Hash: 4b3e42d62add1c169b43e61f87aae2867c07ee7186546d11b25f3da125299ef4
Instruction Fuzzy Hash: 1371C2B09403089FDB15CFA4D888BEEBBB9EF08704F04465EE54AA7180EB755649CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AED234 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AECEED: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 02AECF0A

GetLastError.KERNEL32 ref: 02AED348
__dosmaperr.LIBCMT ref: 02AED34F
GetFileType.KERNELBASE(00000000), ref: 02AED35B
GetLastError.KERNEL32 ref: 02AED365
__dosmaperr.LIBCMT ref: 02AED36E
CloseHandle.KERNEL32(00000000), ref: 02AED38E
CloseHandle.KERNEL32(?), ref: 02AED4DB
GetLastError.KERNEL32 ref: 02AED50D
__dosmaperr.LIBCMT ref: 02AED514

Strings

H, xrefs: 02AED499

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 362c4e4763dacd4dc3298efc6df0081a70bd4fa126836dfa0aa9ead3c360596c
Instruction ID: 909e822fcaf1c00a0ed160d4d0c63c9b80d3ddd2c4c970618a7c4c9d0173ed3e
Opcode Fuzzy Hash: 362c4e4763dacd4dc3298efc6df0081a70bd4fa126836dfa0aa9ead3c360596c
Instruction Fuzzy Hash: 6CA14332A145059FCF19AF68DC91BAE7BB6EB46324F180159E812EF390CF359913CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A0B790 Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 668
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A0A3A0: GetCurrentProcess.KERNEL32(?), ref: 02A0A3AF
Part of subcall function 02A0A3A0: IsWow64Process.KERNEL32(00000000), ref: 02A0A3B6

RegOpenKeyExA.KERNELBASE(80000002,B6A7AF8C,00000000,00020019,00000000,8C8A8E8A,8C8A8E8B), ref: 02A0B8A6
RegQueryValueExA.KERNELBASE(00000000,8A828192,00000000,00020019,?,00000400), ref: 02A0B909
RegCloseKey.ADVAPI32(00000000), ref: 02A0B93F
GetCurrentHwProfileA.ADVAPI32(?), ref: 02A0B9D7
SetupDiGetClassDevsA.SETUPAPI(02B0D540,00000000,00000000,00000012), ref: 02A0BA30

Part of subcall function 02A0B100: LocalAlloc.KERNEL32(00000040,0000001C), ref: 02A0B150
Part of subcall function 02A0B100: SetupDiEnumDeviceInfo.SETUPAPI(?,00000000,00000000), ref: 02A0B15F

Strings

_, xrefs: 02A0BA85
_, xrefs: 02A0BA92
:, xrefs: 02A0B3A3
_, xrefs: 02A0BA26

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcessSetup$AllocClassCloseDeviceDevsEnumInfoLocalOpenProfileQueryValueWow64
String ID: :$_$_$_
API String ID: 2396838628-4119709311
Opcode ID: 6d3dd403c2bedb83e559f4023fee391d9a4d759efdd8053a75f50c32b3bdbd93
Instruction ID: f0a611fc43024337da79d1430bc1758b04fdbe82158759b4581e925ca53c477a
Opcode Fuzzy Hash: 6d3dd403c2bedb83e559f4023fee391d9a4d759efdd8053a75f50c32b3bdbd93
Instruction Fuzzy Hash: 54528E71D002588FDB18CF68DD94BEDBBB6EF09308F1486ADD409A7281DB719A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A060B0 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 793COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?), ref: 02A063BA
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 02A06B07

Part of subcall function 02A6B300: std::locale::_Init.LIBCPMT ref: 02A6B3B6

Part of subcall function 02A6B150: std::locale::_Init.LIBCPMT ref: 02A6B18B

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 02A06894

Strings

/, xrefs: 02A064AE
.zip, xrefs: 02A061BA
recursive_directory_iterator::recursive_directory_iterator, xrefs: 02A06A76
\, xrefs: 02A0648F
status, xrefs: 02A06A60

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: InitIos_base_dtorstd::ios_base::_std::locale::_$AttributesFile
String ID: .zip$/$\$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 4117240250-1247146089
Opcode ID: faae4c32f6cfe7b67ff7c22d1d9eebab6908a1c0d27a63dc1e2ed1e0017ae23a
Instruction ID: 15f95a748fb1acfa9a74f3c52792ce4232149ebac738406b60605ec9e8acda0b
Opcode Fuzzy Hash: faae4c32f6cfe7b67ff7c22d1d9eebab6908a1c0d27a63dc1e2ed1e0017ae23a
Instruction Fuzzy Hash: D962B071D002488FDB18DF68D9C8BEDBBB6AF45318F1481A9D419A7381DF30AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A1E000 Relevance: 12.1, APIs: 8, Instructions: 93networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 02A1E02A
getaddrinfo.WS2_32(?,?,?), ref: 02A1E0BD
socket.WS2_32(00000000,00000000,?), ref: 02A1E0DE
connect.WS2_32(00000000,010082A8,00000000), ref: 02A1E0F2
closesocket.WS2_32(00000000), ref: 02A1E0FE
freeaddrinfo.WS2_32(?,?,?,?,?,?,?,?,?,?,?), ref: 02A1E10B
WSACleanup.WS2_32 ref: 02A1E111
freeaddrinfo.WS2_32(?,?,?,?,?,?,?,?,?,?,?), ref: 02A1E126

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 58224237-0
Opcode ID: 6a2e9d3d863363f12f2e8eed9156df5e50e7c3969cb330defb027f9f1d8cef83
Instruction ID: 841b1dfe9e428f1ab41195cb2e06b3e175588248de020e45c11b2bed34343dcd
Opcode Fuzzy Hash: 6a2e9d3d863363f12f2e8eed9156df5e50e7c3969cb330defb027f9f1d8cef83
Instruction Fuzzy Hash: A1318B716447009FD7219F64D889B2ABBE4FB85778F048B19FDA4932D0D77198188B92

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3044 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0343bee6c354faeba60a0e1fdb6e4b9d990e4a8c34b2dba90667d787e2af683c
Instruction ID: 96fb423c092f66ee438a59270f04966e98b36efcc43765c9ffa1be88bb17ae51
Opcode Fuzzy Hash: 0343bee6c354faeba60a0e1fdb6e4b9d990e4a8c34b2dba90667d787e2af683c
Instruction Fuzzy Hash: 69B1B370E48285ABDF51DFE8D980BADBBB5BF89354F0441D9F60197281CF789942CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A05580 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 02A056E4
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 02A0571F

Strings

., xrefs: 02A05842

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ___std_fs_directory_iterator_advance@8
String ID: .
API String ID: 2610647541-248832578
Opcode ID: 2e511239cf902b4be0fa85a9186cacf994c646f7119983275450efe520c1e332
Instruction ID: a90604b3473346cec7176be4af0e9d5b396ce30d032ce87a5d4fff35c63484f9
Opcode Fuzzy Hash: 2e511239cf902b4be0fa85a9186cacf994c646f7119983275450efe520c1e332
Instruction Fuzzy Hash: 33C1CD35E01626DBCB34CF68E4C47AAB3B6FF44324F9806A9D8059B290DB31AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A104C0 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 637COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,74DF3100,?,00000000), ref: 02A10515
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02A1053C

Strings

y, xrefs: 02A12A01
\, xrefs: 02A0F658

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: FolderPath
String ID: \$y
API String ID: 1514166925-1121330936
Opcode ID: fb616eea5961752dc73580060be6982249eb8795dd858f6d81600ad2d7e37fb7
Instruction ID: a5a5a28260cdc7fd1bbd2f98f8b8ba39b4cdcda6b13ac5be8e0b15eb39348429
Opcode Fuzzy Hash: fb616eea5961752dc73580060be6982249eb8795dd858f6d81600ad2d7e37fb7
Instruction Fuzzy Hash: 98626A74C44268DADF25EB60CD98BEDBB76AF11304F0440D9C44A27281EF752B89CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 02A1E140 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 363libraryloadernetworkCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000,Function_001202E8,00000000), ref: 02A1E4B7
GetProcAddress.KERNEL32(00000000,B1A0B388), ref: 02A1E4C2
WSASend.WS2_32(00000010,?,00000001,00000000,00000000,00000000,00000000), ref: 02A1E4DB

Strings

Ws2_32.dll, xrefs: 02A1E4AE

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: Ws2_32.dll
API String ID: 2819740048-3093949381
Opcode ID: aff714b80c4900bb8e91a72efd057d4e97caaf85d4792813b759e2760545b63b
Instruction ID: 565fd82dc4c1bcd00605b88968a033978075e766ef76563e75cc5ecb23222321
Opcode Fuzzy Hash: aff714b80c4900bb8e91a72efd057d4e97caaf85d4792813b759e2760545b63b
Instruction Fuzzy Hash: 6FE1A070600211CFEB29CF58C994B6DB7B2FF46724F24495DE8A69B3C1DB71A842CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02A92210 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 02A9222F
GetLastError.KERNEL32 ref: 02A9223A
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 02A92262
GetLastError.KERNEL32 ref: 02A9226C

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID:
API String ID: 2170121939-0
Opcode ID: 48180cf278dbd3afe5835de51a2fa4e3160d0977fdce91fa7abfb7ebf94b4c45
Instruction ID: 436761a0690ad79e8ae8a01a70987276b6c4c1cd7288a27c622c913406e952aa
Opcode Fuzzy Hash: 48180cf278dbd3afe5835de51a2fa4e3160d0977fdce91fa7abfb7ebf94b4c45
Instruction Fuzzy Hash: A9116D3264010AABDB108FA9EC45B9AFBA8EB55360F008262FD1CC7190EB71D9618BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02A13A00 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 02A13B1B

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-4024179465
Opcode ID: b85b5ac96fabf0e6d6926a3d489bb19235fff0eb1d6982185614da722d95fb9b
Instruction ID: 5fec3dd26d5dfd65c573d39882161056519e2e5006b6b6c2c0f044210398b078
Opcode Fuzzy Hash: b85b5ac96fabf0e6d6926a3d489bb19235fff0eb1d6982185614da722d95fb9b
Instruction Fuzzy Hash: 9FE19071E002089FDF08CFA8C984BAEBBB6FF49314F14869DD415AB281DB759A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A5F0 Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE ref: 02A0A61E
GetLastError.KERNEL32 ref: 02A0A629
__Mtx_unlock.LIBCPMT ref: 02A0A64E

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AttributesErrorFileLastMtx_unlock
String ID:
API String ID: 441747541-0
Opcode ID: bfef6b4572192a9e41d44e8efd7097ccc4c6b66c15f0fb88c063c96f8c430aa1
Instruction ID: ae67fb0555bee49818e767beea27e984711599e25545eee867d20b35e66f9ae8
Opcode Fuzzy Hash: bfef6b4572192a9e41d44e8efd7097ccc4c6b66c15f0fb88c063c96f8c430aa1
Instruction Fuzzy Hash: ECF028719C03000A593817F438D4ABA772A895377CF580661EA0A8A7C6FF03CA028991

Uniqueness

Uniqueness Score: -1.00%

Function 02A921C0 Relevance: 4.5, APIs: 3, Instructions: 31sleepCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02A921D4
Sleep.KERNEL32(00000064), ref: 02A921E8
CloseHandle.KERNEL32(?), ref: 02A921F1

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Close$ChangeFindHandleNotificationSleep
String ID:
API String ID: 4133708355-0
Opcode ID: 264c8de47d722b0cc070d3963058a1650f035fff6fb29ad1054f82afa704941b
Instruction ID: c445ccbecf5e2b381aa7e9a1e5d0a88c43ce600a89147e562a8ac8aac821fb43
Opcode Fuzzy Hash: 264c8de47d722b0cc070d3963058a1650f035fff6fb29ad1054f82afa704941b
Instruction Fuzzy Hash: D2E09B32540A17BBDA1157BADCC1B96F7D9EF051B4F104220EE2C86090DF21D43685A4

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6189 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(02AE7811,?,02AE7811,?,?,?,00000000), ref: 02AF6191
GetLastError.KERNEL32(?,02AE7811,?,?,?,00000000), ref: 02AF619B
__dosmaperr.LIBCMT ref: 02AF61A2

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: d8f0c57e0e14dfbdf2a19ecf80e42f2fdfdb44255eff59344c2180a5ef56f665
Instruction ID: eacd0f91b83629c5065c89526d7e8d56c8fef62390fde9b91e8691f9c9bd9930
Opcode Fuzzy Hash: d8f0c57e0e14dfbdf2a19ecf80e42f2fdfdb44255eff59344c2180a5ef56f665
Instruction Fuzzy Hash: 1FD0C932984509679E112EF5A9489167B5DEA846B43200A21F52DC61D0EE35C8629554

Uniqueness

Uniqueness Score: -1.00%

Function 02A676D0 Relevance: 3.2, APIs: 2, Instructions: 187COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 02A6786B
__fread_nolock.LIBCMT ref: 02A6788D

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 9697adb7546b05a3c94f5a24a14b448b632f27652fccbdcd1a0461ba6f7bc3c3
Instruction ID: a915de720be68c6873e0f0dd8bd6807416d7755e80e0ca4ce6c270d90a32da90
Opcode Fuzzy Hash: 9697adb7546b05a3c94f5a24a14b448b632f27652fccbdcd1a0461ba6f7bc3c3
Instruction Fuzzy Hash: 306136766146069FC714CF2DD888A6AF7A1FF88728F048629F869C7750DB70EC54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A05340 Relevance: 3.1, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_open@12.LIBCPMT ref: 02A053DB
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 02A053F6

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID:
API String ID: 3016148460-0
Opcode ID: f3815a8e5864301d134d156fdeda070d38c483a5221123fdb2e16d5b41cf1745
Instruction ID: 1b01f4144ca6df39c302ec1342fa57e2f848aeb44c54eb91b269633a649c0e47
Opcode Fuzzy Hash: f3815a8e5864301d134d156fdeda070d38c483a5221123fdb2e16d5b41cf1745
Instruction Fuzzy Hash: BC318132E402049BCF24DF58E9C07EDB7B6FB48721F54056AD909B3680EB756901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3533 Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,02AF341A,00000000,CF830579,02B2F030,0000000C,02AF34D6,02AE75DD,?), ref: 02AF3589
GetLastError.KERNEL32(?,02AF341A,00000000,CF830579,02B2F030,0000000C,02AF34D6,02AE75DD,?), ref: 02AF3593

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 5c8a30ef8d90248de1c8f16be726222700e5ef608c20d5d42ef7443cae2efb07
Instruction ID: ca2f9bd158543fe6a90d11a0670ded00798b4409b7e72272a350abef79ec6cbf
Opcode Fuzzy Hash: 5c8a30ef8d90248de1c8f16be726222700e5ef608c20d5d42ef7443cae2efb07
Instruction Fuzzy Hash: 0D11AF33A481506EDFB563F8A9C4B3E6746CBC1778F140598FB08C71C0DF68C5418260

Uniqueness

Uniqueness Score: -1.00%

Function 02A1F7E0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000065), ref: 02A1F833

Strings

120, xrefs: 02A1F808

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Sleep
String ID: 120
API String ID: 3472027048-289485416
Opcode ID: 2c9d08b1e15f47edf35d6c74394fa3c7f3f1f9c9d865a75147c6fd3d134a4554
Instruction ID: 775d5b72858ef4e825bb3baf81fed029b2c4e6360a53897ca02578b214ab34ac
Opcode Fuzzy Hash: 2c9d08b1e15f47edf35d6c74394fa3c7f3f1f9c9d865a75147c6fd3d134a4554
Instruction Fuzzy Hash: 14F02711FC43801BF635B26C2C0672D3B598389764F540485DD041B2C1DEA1186BC3E6

Uniqueness

Uniqueness Score: -1.00%

Function 02A1F770 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,?,74D723A0), ref: 02A1F7C3

Strings

120, xrefs: 02A1F798

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Sleep
String ID: 120
API String ID: 3472027048-289485416
Opcode ID: 0822df8966b6a762eb847cfba324289526a8475551fa61b09a85895c1d626368
Instruction ID: 3f2fd9a6f16aac6590e3c851327126a0e3b1dd22f13936f4271c4f72253ff0a1
Opcode Fuzzy Hash: 0822df8966b6a762eb847cfba324289526a8475551fa61b09a85895c1d626368
Instruction Fuzzy Hash: 9AF02711E803915AF631F26C3C46B2E3F698749BA4F640886D9045B2C1DFA1186A83E2

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A670 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00000000), ref: 02A0A686
__Mtx_unlock.LIBCPMT ref: 02A0A693

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CreateDirectoryMtx_unlock
String ID:
API String ID: 3577089425-0
Opcode ID: c72f52461c737f8a356555033c8ac2fdf995e226415c902edeabdbb5e6161ccd
Instruction ID: 303b77e0d8af80e500373f36799987142b0d422d01b77f60c58a2cddd74c45ff
Opcode Fuzzy Hash: c72f52461c737f8a356555033c8ac2fdf995e226415c902edeabdbb5e6161ccd
Instruction Fuzzy Hash: 76D05EE2EC022023A56522B12D09A87251D4E545717894461F90AE2218FD18CD004BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF57D3 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,02AFD6C9,02AE73E3,00000000,02AE73E3,?,02AFD96A,02AE73E3,00000007,02AE73E3,?,02AFDE5E,02AE73E3,02AE73E3), ref: 02AF57E9
GetLastError.KERNEL32(02AE73E3,?,02AFD6C9,02AE73E3,00000000,02AE73E3,?,02AFD96A,02AE73E3,00000007,02AE73E3,?,02AFDE5E,02AE73E3,02AE73E3), ref: 02AF57F4

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 724553144108c423ac4b4e5f3cb38b2360d31da52929754d05dbc5bf054c8142
Instruction ID: 002de22c0bc251e08b39ca0f564142b2b39054e5423ea8255159ac1768152d52
Opcode Fuzzy Hash: 724553144108c423ac4b4e5f3cb38b2360d31da52929754d05dbc5bf054c8142
Instruction Fuzzy Hash: 09E08631940205A7CB222FE0E94CF493B99EB44796F500820F70D9B0A1DF34C4528BD4

Uniqueness

Uniqueness Score: -1.00%

Function 02A316B0 Relevance: 2.0, APIs: 1, Instructions: 542COMMON

Download Yara Rule

APIs

Part of subcall function 02A09EB0: __fread_nolock.LIBCMT ref: 02A09F90

std::locale::_Init.LIBCPMT ref: 02A317AB

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Init__fread_nolockstd::locale::_
String ID:
API String ID: 221842284-0
Opcode ID: 75798409619249f8ab09100dcd4052e4db0793921c6c78cdd54c7ec1ba58103c
Instruction ID: d3739d1cd851836e92541a337b004523b2ec70a0776bfa1d2db1313c5186d6ab
Opcode Fuzzy Hash: 75798409619249f8ab09100dcd4052e4db0793921c6c78cdd54c7ec1ba58103c
Instruction Fuzzy Hash: D122D271D002188FDB19DF68CD887EEBBB2AF45304F14829DE449AB781DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A97240 Relevance: 2.0, APIs: 1, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44682ff43840d9a146f3ea99c1481a13f820b9108829b8f2e5b3dc312372adb
Instruction ID: 3eea2f859e311db263ba5ad5ee29cc7fc3ff6fbd8c29107d52e283f6234c6bbd
Opcode Fuzzy Hash: c44682ff43840d9a146f3ea99c1481a13f820b9108829b8f2e5b3dc312372adb
Instruction Fuzzy Hash: A0F158B06107418FDB60CF6ACC80B67F7E5AF88308F04496DE59ACB651EBB5E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02AE3362 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88f68fb8ac377039f0517274018d89798d4b73b2f72865791a97165a0155798
Instruction ID: b8412dc6df44a5f675ceb8ab21c97827dbb7cec86737f83c898f61d72e911196
Opcode Fuzzy Hash: a88f68fb8ac377039f0517274018d89798d4b73b2f72865791a97165a0155798
Instruction Fuzzy Hash: EF518570A00144AFDF15CF59C985EBD7BB2EF89364F188199E80A9B351DB719E42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A170 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 02A0A2A3

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 2094b9842311838ccc39f966313a09eff140e9f67b4f95f737a35cd81ebd5c76
Instruction ID: f80fa20444b6324e722e3ee10fb65908ffe3a49a90b80c684dc81284c21e3667
Opcode Fuzzy Hash: 2094b9842311838ccc39f966313a09eff140e9f67b4f95f737a35cd81ebd5c76
Instruction Fuzzy Hash: 734137B09003009FEB14DF68DD84B6EFBA5EF09704F20856DE5169B2D1DBB59941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A69190 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 02A69276

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 15e9204b5d4e751155b8beb7b1dff8f6fc0b73f5d88a3b1e01f69e4507e6232e
Instruction ID: 87362ede2ad952ca03422e4892ec0d85afe59d90fb7ffffd9d4c62d84c0575a8
Opcode Fuzzy Hash: 15e9204b5d4e751155b8beb7b1dff8f6fc0b73f5d88a3b1e01f69e4507e6232e
Instruction Fuzzy Hash: A531A6B1A00202AFDB04DF35D888A7AF7A5FF45314F14467AE81ACB691EF31D954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A02AE0 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 02A02BAA

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 8ebdc5d12f10c40644fd85f9aa08fd57ac7d3ff6eaed1630c01504853623d5de
Instruction ID: f0500642bf445868ab728eee3f83a04877dcb39f0ca46f10ef5fbec7d425431e
Opcode Fuzzy Hash: 8ebdc5d12f10c40644fd85f9aa08fd57ac7d3ff6eaed1630c01504853623d5de
Instruction Fuzzy Hash: 99215B729003009FDB149F35E8C8B6B7BA99F86324F15027AED2A8B2D2DF31C914C791

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5438 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 02AF5472

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 629ed2935e0cb49ae3c684801af4d6bd6558df5a086841812956461f62a9d3e9
Instruction ID: 49754d437d5012a6ec859de5534e94343c81e23804e37a2f4ad1c45103438a22
Opcode Fuzzy Hash: 629ed2935e0cb49ae3c684801af4d6bd6558df5a086841812956461f62a9d3e9
Instruction Fuzzy Hash: D2111871A0410AAFCF05DF98E94099E7BF5EF48304F054059F909AB251DA34D911CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02A0B260 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetupDiGetClassDevsA.SETUPAPI(02B0D540,00000000,00000000,00000012), ref: 02A0B277

Memory Dump Source

Source File: 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ClassDevsSetup
String ID:
API String ID: 2330331845-0
Opcode ID: 3eab0928f73dac8c4af1e96d3385b98488fb3e7759d076c8f553d9b4b8b7ae94
Instruction ID: acb662b0970f9c6a98ce70e91d210082a70957426876a7612930208d933a3cbc
Opcode Fuzzy Hash: 3eab0928f73dac8c4af1e96d3385b98488fb3e7759d076c8f553d9b4b8b7ae94
Instruction Fuzzy Hash: E4F090B0A407145FD360DF6C6901756BBE4DB08724F108A6EE59DC36C1E7B0991487C1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MXpl6HFisn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\Cookies\Chrome_Default.txt

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\History\Firefox_fqs92o4p.default-release.txt

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\information.txt

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\passwords.txt

C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK\screenshot.png

C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\02zdBXl47cvzcookies.sqlite

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\3b6N2Xdh3CYwplaces.sqlite

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\5tU4KAXUt9OSHistory

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\6wUviFtkLbmKHistory

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\D87fZN3R3jFeplaces.sqlite

C:\Users\user\AppData\Local\Temp\heidi3S903DOZntEK\E7Z56Nq_1sMBWeb Data

Windows Analysis Report
MXpl6HFisn.exe

Function 02A0C390 Relevance: 95.9, APIs: 43, Strings: 11, Instructions: 1449
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre