Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1513451
MD5:5fb5e099087ca0db68f8d58ae7555949
SHA1:caafb9713225e958041183455c1113d2018b9879
SHA256:f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5FB5E099087CA0DB68F8D58AE7555949)
    • BitLockerToGo.exe (PID: 7032 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tendencctywop.shop", "tesecuuweqo.shop", "licenseodqwmqn.shop", "eemmbryequo.shop", "reggwardssdqw.shop", "relaxatinownio.shop", "keennylrwmqlw.shop", "tryyudjasudqo.shop"], "Build id": "AleMVK--Coor"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-18T20:48:17.471459+020020546531A Network Trojan was detected192.168.2.549704172.67.218.144443TCP
    2024-09-18T20:48:18.456059+020020546531A Network Trojan was detected192.168.2.549705172.67.218.144443TCP
    2024-09-18T20:48:19.524842+020020546531A Network Trojan was detected192.168.2.549707104.21.25.77443TCP
    2024-09-18T20:48:20.649778+020020546531A Network Trojan was detected192.168.2.549710172.67.178.226443TCP
    2024-09-18T20:48:21.621682+020020546531A Network Trojan was detected192.168.2.549713104.21.42.156443TCP
    2024-09-18T20:48:22.997733+020020546531A Network Trojan was detected192.168.2.549715104.21.64.138443TCP
    2024-09-18T20:48:23.977281+020020546531A Network Trojan was detected192.168.2.549716188.114.96.3443TCP
    2024-09-18T20:48:25.044785+020020546531A Network Trojan was detected192.168.2.549717172.67.142.26443TCP
    2024-09-18T20:48:26.034606+020020546531A Network Trojan was detected192.168.2.549718172.67.176.113443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-18T20:48:17.471459+020020498361A Network Trojan was detected192.168.2.549704172.67.218.144443TCP
    2024-09-18T20:48:18.456059+020020498361A Network Trojan was detected192.168.2.549705172.67.218.144443TCP
    2024-09-18T20:48:19.524842+020020498361A Network Trojan was detected192.168.2.549707104.21.25.77443TCP
    2024-09-18T20:48:20.649778+020020498361A Network Trojan was detected192.168.2.549710172.67.178.226443TCP
    2024-09-18T20:48:21.621682+020020498361A Network Trojan was detected192.168.2.549713104.21.42.156443TCP
    2024-09-18T20:48:22.997733+020020498361A Network Trojan was detected192.168.2.549715104.21.64.138443TCP
    2024-09-18T20:48:23.977281+020020498361A Network Trojan was detected192.168.2.549716188.114.96.3443TCP
    2024-09-18T20:48:25.044785+020020498361A Network Trojan was detected192.168.2.549717172.67.142.26443TCP
    2024-09-18T20:48:26.034606+020020498361A Network Trojan was detected192.168.2.549718172.67.176.113443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-18T20:48:27.401211+020028579741Domain Observed Used for C2 Detected192.168.2.5526861.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
    Source: https://tenntysjuxmz.shop/URL Reputation: Label: phishing
    Source: relaxatinownio.shopAvira URL Cloud: Label: malware
    Source: https://tendencctywop.shop/)Avira URL Cloud: Label: malware
    Source: https://eemmbryequo.shop/7B?Avira URL Cloud: Label: malware
    Source: keennylrwmqlw.shopAvira URL Cloud: Label: malware
    Source: https://licenseodqwmqn.shop/apiAvira URL Cloud: Label: malware
    Source: tendencctywop.shopAvira URL Cloud: Label: malware
    Source: https://licenseodqwmqn.shop/iAvira URL Cloud: Label: malware
    Source: tryyudjasudqo.shopAvira URL Cloud: Label: malware
    Source: https://licenseodqwmqn.shop/apiEAvira URL Cloud: Label: malware
    Source: https://licenseodqwmqn.shop/Avira URL Cloud: Label: malware
    Source: https://tesecuuweqo.shop/apiAvira URL Cloud: Label: malware
    Source: tesecuuweqo.shopAvira URL Cloud: Label: malware
    Source: https://licenseodqwmqn.shop/AAvira URL Cloud: Label: malware
    Source: https://tenntysjuxmz.shop/$Avira URL Cloud: Label: malware
    Source: reggwardssdqw.shopAvira URL Cloud: Label: malware
    Source: eemmbryequo.shopAvira URL Cloud: Label: malware
    Source: https://keennylrwmqlw.shop/apioAvira URL Cloud: Label: malware
    Source: https://tendencctywop.shop/apiAvira URL Cloud: Label: malware
    Source: licenseodqwmqn.shopAvira URL Cloud: Label: malware
    Source: https://licenseodqwmqn.shop/8B?Avira URL Cloud: Label: malware
    Source: https://relaxatinownio.shop/apiAvira URL Cloud: Label: malware
    Source: https://tesecuuweqo.shop/8TAvira URL Cloud: Label: malware
    Source: https://tryyudjasudqo.shop/api:Avira URL Cloud: Label: malware
    Source: https://tryyudjasudqo.shop/apiAvira URL Cloud: Label: malware
    Source: https://keennylrwmqlw.shop/Avira URL Cloud: Label: malware
    Found malware configuration
    Source: 0.2.file.exe.2128000.2.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["tendencctywop.shop", "tesecuuweqo.shop", "licenseodqwmqn.shop", "eemmbryequo.shop", "reggwardssdqw.shop", "relaxatinownio.shop", "keennylrwmqlw.shop", "tryyudjasudqo.shop"], "Build id": "AleMVK--Coor"}
    Multi AV Scanner detection for submitted file
    Source: file.exeReversingLabs: Detection: 16%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: tryyudjasudqo.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: eemmbryequo.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: reggwardssdqw.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: relaxatinownio.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: tesecuuweqo.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: tendencctywop.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: licenseodqwmqn.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: keennylrwmqlw.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: keennylrwmqlw.shop
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString decryptor: AleMVK--Coor
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 172.67.218.144:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.218.144:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.25.77:443 -> 192.168.2.5:49707 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.178.226:443 -> 192.168.2.5:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.42.156:443 -> 192.168.2.5:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.64.138:443 -> 192.168.2.5:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.142.26:443 -> 192.168.2.5:49717 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.176.113:443 -> 192.168.2.5:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.5:49719 version: TLS 1.2
    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.2200721008.000000000203A000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.2200721008.000000000203A000.00000004.00001000.00020000.00000000.sdmp
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_004106EC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+04h]2_2_0040F80C
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [ebx], 00000000h2_2_0040F80C
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ecx+edi]2_2_00442052
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then or dword ptr [esp+04h], edx2_2_00401000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+34h]2_2_004140C2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], dx2_2_004210D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esi+eax]2_2_0041C0F3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_0042C10A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [ecx]2_2_00427262
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 44CAAEB6h2_2_00424230
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_00423290
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea eax, dword ptr [esp+58h]2_2_004253CA
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebx], cx2_2_0041243B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+0000087Ch]2_2_004254D6
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_004154E7
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004234F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00421480
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_004104AD
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 44CAAEB6h2_2_0043F520
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [ebx]2_2_004455B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ebx2_2_0040E656
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_00442660
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_0042D620
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+64h]2_2_0042D620
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh2_2_0042D620
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]2_2_0042B6C3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00414695
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_004377C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [ebp-10h]2_2_004437F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp]2_2_004437F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042B850
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ecx2_2_0041385E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h2_2_0041385E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [ecx-02h]2_2_0041D836
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], dl2_2_0041D836
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [ebp-10h]2_2_0041D836
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h2_2_0041D836
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+48h]2_2_0041A8B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]2_2_00405910
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_00444990
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp]2_2_0043EA30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0040DB50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0043EB00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 7E28BDA7h2_2_0043EB00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp]2_2_00443B00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+60h]2_2_0042AB20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00410C51
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00410C51
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]2_2_0043CC60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h2_2_00419C70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_0042CC00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebx+ebp*4+04h]2_2_0043AD50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h2_2_00444E20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h2_2_00444F70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_0042CF00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp+3Ch]2_2_00426F22
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_00440FC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al2_2_00429FD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_00429FD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_00429FD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp dword ptr [0044C4D4h]2_2_00429FD0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2857974 - Severity 1 - ETPRO MALWARE Observed DNS Query to Lumma Domain : 192.168.2.5:52686 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 172.67.218.144:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.218.144:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.218.144:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.218.144:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49717 -> 172.67.142.26:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49717 -> 172.67.142.26:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49718 -> 172.67.176.113:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49718 -> 172.67.176.113:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49716 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49715 -> 104.21.64.138:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49713 -> 104.21.42.156:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 104.21.25.77:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49713 -> 104.21.42.156:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 104.21.64.138:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 104.21.25.77:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49710 -> 172.67.178.226:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49710 -> 172.67.178.226:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: tendencctywop.shop
    Source: Malware configuration extractorURLs: tesecuuweqo.shop
    Source: Malware configuration extractorURLs: licenseodqwmqn.shop
    Source: Malware configuration extractorURLs: eemmbryequo.shop
    Source: Malware configuration extractorURLs: reggwardssdqw.shop
    Source: Malware configuration extractorURLs: relaxatinownio.shop
    Source: Malware configuration extractorURLs: keennylrwmqlw.shop
    Source: Malware configuration extractorURLs: tryyudjasudqo.shop
    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
    Source: Joe Sandbox ViewIP Address: 104.21.25.77 104.21.25.77
    Source: Joe Sandbox ViewIP Address: 104.21.42.156 104.21.42.156
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: keennylrwmqlw.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: keennylrwmqlw.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: licenseodqwmqn.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tendencctywop.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tesecuuweqo.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: relaxatinownio.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reggwardssdqw.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: eemmbryequo.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tryyudjasudqo.shop
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=a80d88982ad2e5c01d8b36b2; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34678Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 18 Sep 2024 18:48:27 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: owered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recapt equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: keennylrwmqlw.shop
    Source: global trafficDNS traffic detected: DNS query: licenseodqwmqn.shop
    Source: global trafficDNS traffic detected: DNS query: tendencctywop.shop
    Source: global trafficDNS traffic detected: DNS query: tesecuuweqo.shop
    Source: global trafficDNS traffic detected: DNS query: relaxatinownio.shop
    Source: global trafficDNS traffic detected: DNS query: reggwardssdqw.shop
    Source: global trafficDNS traffic detected: DNS query: eemmbryequo.shop
    Source: global trafficDNS traffic detected: DNS query: tryyudjasudqo.shop
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: tenntysjuxmz.shop
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: keennylrwmqlw.shop
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
    Source: BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.iv
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.aka
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
    Source: BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306871392.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fIns
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&l=e
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
    Source: BitLockerToGo.exe, 00000002.00000003.2282565897.0000000000874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eemmbryequo.shop/7B?
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eemmbryequo.shop/api
    Source: file.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keennylrwmqlw.shop/
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000875000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keennylrwmqlw.shop/api
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keennylrwmqlw.shop/apio
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://licenseodqwmqn.shop/
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://licenseodqwmqn.shop/8B?
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://licenseodqwmqn.shop/A
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://licenseodqwmqn.shop/api
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://licenseodqwmqn.shop/apiE
    Source: BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://licenseodqwmqn.shop/i
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reggwardssdqw.shop/api
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: BitLockerToGo.exe, 00000002.00000002.2306702407.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/D
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tendencctywop.shop/)
    Source: BitLockerToGo.exe, 00000002.00000002.2306702407.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tenntysjuxmz.shop/
    Source: BitLockerToGo.exe, 00000002.00000002.2306702407.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tenntysjuxmz.shop/$
    Source: BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tenntysjuxmz.shop/api
    Source: BitLockerToGo.exe, 00000002.00000002.2306702407.000000000084B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tesecuuweqo.shop/8T
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tesecuuweqo.shop/api
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tryyudjasudqo.shop/api
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tryyudjasudqo.shop/api:
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recapt
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownHTTPS traffic detected: 172.67.218.144:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.218.144:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.25.77:443 -> 192.168.2.5:49707 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.178.226:443 -> 192.168.2.5:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.42.156:443 -> 192.168.2.5:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.64.138:443 -> 192.168.2.5:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.142.26:443 -> 192.168.2.5:49717 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.176.113:443 -> 192.168.2.5:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.5:49719 version: TLS 1.2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004347D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004347D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004347D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004347D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004102EB2_2_004102EB
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004106EC2_2_004106EC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F80C2_2_0040F80C
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004420522_2_00442052
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004050602_2_00405060
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004010002_2_00401000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F0202_2_0040F020
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004140C22_2_004140C2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041C0F32_2_0041C0F3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004071702_2_00407170
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004431002_2_00443100
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C10A2_2_0042C10A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A1E02_2_0040A1E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004111F02_2_004111F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004272622_2_00427262
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042B2072_2_0042B207
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040B2102_2_0040B210
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004242302_2_00424230
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004452A02_2_004452A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004012AB2_2_004012AB
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040134A2_2_0040134A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004013532_2_00401353
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004343D02_2_004343D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004113A32_2_004113A3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004134762_2_00413476
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004254D62_2_004254D6
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004154E72_2_004154E7
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004234F02_2_004234F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040148F2_2_0040148F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041A5502_2_0041A550
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043A55A2_2_0043A55A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004085102_2_00408510
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043F5202_2_0043F520
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004245B22_2_004245B2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004455B02_2_004455B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040D6702_2_0040D670
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D6202_2_0042D620
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004016FF2_2_004016FF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004146952_2_00414695
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A6A02_2_0040A6A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040175C2_2_0040175C
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004247C02_2_004247C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004287C02_2_004287C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004397D02_2_004397D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042F7D52_2_0042F7D5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004437F02_2_004437F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004068302_2_00406830
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C8302_2_0042C830
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041D8362_2_0041D836
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004038C02_2_004038C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041A8B02_2_0041A8B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042A94A2_2_0042A94A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004019102_2_00401910
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004429C02_2_004429C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00401A7B2_2_00401A7B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00409A1B2_2_00409A1B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040DB502_2_0040DB50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00407B702_2_00407B70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00443B002_2_00443B00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042AB202_2_0042AB20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00432BA02_2_00432BA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00410C512_2_00410C51
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00423CDF2_2_00423CDF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00442CF02_2_00442CF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043AD502_2_0043AD50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040BD202_2_0040BD20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00428DF92_2_00428DF9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040AD802_2_0040AD80
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00406DB02_2_00406DB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00427ECC2_2_00427ECC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041EED02_2_0041EED0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00444F702_2_00444F70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042CF002_2_0042CF00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00429FD02_2_00429FD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00408FA02_2_00408FA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043FFA02_2_0043FFA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040C870 appears 39 times
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0041A540 appears 176 times
    Source: file.exe, 00000000.00000002.2198738305.000000000196B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePC Timer.exe< vs file.exe
    Source: file.exe, 00000000.00000002.2200721008.000000000203A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
    Source: file.exeBinary or memory string: OriginalFilenamePC Timer.exe< vs file.exe
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@10/9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00423290 CoCreateInstance,2_2_00423290
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeReversingLabs: Detection: 16%
    Source: file.exeString found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
    Source: file.exeString found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
    Source: file.exeString found in binary or memory: net/addrselect.go
    Source: file.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: file.exeStatic file information: File size 11207680 > 1048576
    Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x45f000
    Source: file.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x5a5600
    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.2200721008.000000000203A000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.2200721008.000000000203A000.00000004.00001000.00020000.00000000.sdmp
    Source: file.exeStatic PE information: section name: .symtab
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI coverage: 7.9 %
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6648Thread sleep time: -30000s >= -30000sJump to behavior
    Source: BitLockerToGo.exe, 00000002.00000002.2306702407.0000000000837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
    Source: BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2227538387.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: file.exe, 00000000.00000002.2196956587.0000000000C1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004410B0 LdrInitializeThunk,2_2_004410B0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tryyudjasudqo.shop
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: eemmbryequo.shop
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: reggwardssdqw.shop
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: relaxatinownio.shop
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tesecuuweqo.shop
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tendencctywop.shop
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: licenseodqwmqn.shop
    Source: file.exe, 00000000.00000002.2200721008.00000000021BB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keennylrwmqlw.shop
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6BE008Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 446000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 449000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 459000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		311
    Process Injection    		1
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		311
    Process Injection    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol2
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager12
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe16%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
    https://tenntysjuxmz.shop/100%URL Reputationphishing
    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
    https://recaptcha.net0%URL Reputationsafe
    https://player.vimeo.com0%Avira URL Cloudsafe
    https://github.com/golang/protobuf/issues/1609):0%Avira URL Cloudsafe
    https://www.youtube.com0%Avira URL Cloudsafe
    relaxatinownio.shop100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%Avira URL Cloudsafe
    https://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
    https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
    http://www.valvesoftware.com/legal.htm0%Avira URL Cloudsafe
    https://www.gstatic.cn/recaptcha/0%Avira URL Cloudsafe
    https://tendencctywop.shop/)100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%Avira URL Cloudsafe
    https://www.google.com0%Avira URL Cloudsafe
    https://eemmbryequo.shop/7B?100%Avira URL Cloudmalware
    keennylrwmqlw.shop100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&amp;l=e0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%Avira URL Cloudsafe
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%Avira URL Cloudsafe
    https://licenseodqwmqn.shop/api100%Avira URL Cloudmalware
    https://s.ytimg.com;0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%Avira URL Cloudsafe
    tendencctywop.shop100%Avira URL Cloudmalware
    https://licenseodqwmqn.shop/i100%Avira URL Cloudmalware
    https://steam.tv/0%Avira URL Cloudsafe
    tryyudjasudqo.shop100%Avira URL Cloudmalware
    https://licenseodqwmqn.shop/apiE100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%Avira URL Cloudsafe
    http://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
    https://licenseodqwmqn.shop/100%Avira URL Cloudmalware
    https://store.steampowered.com/points/shop/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a0%Avira URL Cloudsafe
    https://sketchfab.com0%Avira URL Cloudsafe
    https://lv.queniujq.cn0%Avira URL Cloudsafe
    https://www.youtube.com/0%Avira URL Cloudsafe
    https://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&amp;l=en0%Avira URL Cloudsafe
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%Avira URL Cloudsafe
    https://tesecuuweqo.shop/api100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%Avira URL Cloudsafe
    tesecuuweqo.shop100%Avira URL Cloudmalware
    https://licenseodqwmqn.shop/A100%Avira URL Cloudmalware
    https://www.google.com/recaptcha/0%Avira URL Cloudsafe
    https://tenntysjuxmz.shop/$100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%Avira URL Cloudsafe
    https://checkout.steampowered.com/0%Avira URL Cloudsafe
    https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%Avira URL Cloudsafe
    https://store.steampowered.com/about/0%Avira URL Cloudsafe
    https://store.steampowered.com/;0%Avira URL Cloudsafe
    reggwardssdqw.shop100%Avira URL Cloudmalware
    eemmbryequo.shop100%Avira URL Cloudmalware
    https://help.steampowered.com/en/0%Avira URL Cloudsafe
    https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/0%Avira URL Cloudsafe
    https://steamcommunity.com/market/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/0%Avira URL Cloudsafe
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
    https://keennylrwmqlw.shop/apio100%Avira URL Cloudmalware
    http://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
    https://tendencctywop.shop/api100%Avira URL Cloudmalware
    licenseodqwmqn.shop100%Avira URL Cloudmalware
    https://store.steampowered.com/news/0%Avira URL Cloudsafe
    https://licenseodqwmqn.shop/8B?100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%Avira URL Cloudsafe
    https://recaptcha.net/recaptcha/;0%Avira URL Cloudsafe
    https://store.steampowered.com/stats/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%Avira URL Cloudsafe
    https://relaxatinownio.shop/api100%Avira URL Cloudmalware
    https://checkout.iv0%Avira URL Cloudsafe
    https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
    https://tesecuuweqo.shop/8T100%Avira URL Cloudmalware
    https://tryyudjasudqo.shop/api:100%Avira URL Cloudmalware
    https://medal.tv0%Avira URL Cloudsafe
    https://tryyudjasudqo.shop/api100%Avira URL Cloudmalware
    https://broadcast.st.dl.eccdnx.com0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%Avira URL Cloudsafe
    https://steamcommunity.com/login/home/?goto=profiles%2F765611997243319000%Avira URL Cloudsafe
    https://steamcommunity.com/D0%Avira URL Cloudsafe
    https://store.steampowered.com/steam_refunds/0%Avira URL Cloudsafe
    https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
    https://store.steampowered.com/legal/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fIns0%Avira URL Cloudsafe
    https://login.steampowered.com/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%Avira URL Cloudsafe
    https://keennylrwmqlw.shop/100%Avira URL Cloudmalware
    https://store.steampowered.com/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    tryyudjasudqo.shop
    		172.67.176.113
    		truetrue
      		unknown
      keennylrwmqlw.shop
      		172.67.218.144
      		truetrue
        		unknown
        steamcommunity.com
        		23.50.98.133
        		truefalse
          		unknown
          reggwardssdqw.shop
          		188.114.96.3
          		truetrue
            		unknown
            tesecuuweqo.shop
            		104.21.42.156
            		truetrue
              		unknown
              tendencctywop.shop
              		172.67.178.226
              		truetrue
                		unknown
                eemmbryequo.shop
                		172.67.142.26
                		truetrue
                  		unknown
                  licenseodqwmqn.shop
                  		104.21.25.77
                  		truetrue
                    		unknown
                    relaxatinownio.shop
                    		104.21.64.138
                    		truetrue
                      		unknown
                      tenntysjuxmz.shop
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        relaxatinownio.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        keennylrwmqlw.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://licenseodqwmqn.shop/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        tendencctywop.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        tryyudjasudqo.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://steamcommunity.com/profiles/76561199724331900true
                        • URL Reputation: malware
                        		unknown
                        https://tesecuuweqo.shop/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        tesecuuweqo.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        eemmbryequo.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        reggwardssdqw.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        licenseodqwmqn.shoptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://tendencctywop.shop/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://relaxatinownio.shop/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://tryyudjasudqo.shop/apitrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://player.vimeo.comBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5fBitLockerToGo.exe, 00000002.00000003.2306368815.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/golang/protobuf/issues/1609):file.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://tendencctywop.shop/)BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.youtube.comBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://eemmbryequo.shop/7B?BitLockerToGo.exe, 00000002.00000003.2282565897.0000000000874000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.google.comBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCsBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=83YueuslRxGq&amp;l=eBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2aBitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://s.ytimg.com;BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://licenseodqwmqn.shop/iBitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://steam.tv/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://licenseodqwmqn.shop/apiEBitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://licenseodqwmqn.shop/BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&aBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://sketchfab.comBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://lv.queniujq.cnBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        https://www.youtube.com/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&amp;l=enBitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://licenseodqwmqn.shop/ABitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://tenntysjuxmz.shop/$BitLockerToGo.exe, 00000002.00000002.2306702407.000000000085C000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.google.com/recaptcha/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://checkout.steampowered.com/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://tenntysjuxmz.shop/BitLockerToGo.exe, 00000002.00000002.2306702407.000000000085C000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: phishing
                        		unknown
                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/;BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/about/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://help.steampowered.com/en/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/market/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/news/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://keennylrwmqlw.shop/apioBitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://licenseodqwmqn.shop/8B?BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000875000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://checkout.ivBitLockerToGo.exe, 00000002.00000003.2306368815.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/stats/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://tesecuuweqo.shop/8TBitLockerToGo.exe, 00000002.00000002.2306702407.000000000084B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://tryyudjasudqo.shop/api:BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://medal.tvBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2306871392.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/DBitLockerToGo.exe, 00000002.00000002.2306702407.000000000085C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://login.steampowered.com/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://store.steampowered.com/legal/BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fInsBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306191304.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvBitLockerToGo.exe, 00000002.00000003.2306191304.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306368815.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englBitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://keennylrwmqlw.shop/BitLockerToGo.exe, 00000002.00000002.2306790393.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2227538387.0000000000897000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282565897.000000000087E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2306265031.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://recaptcha.netBitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://store.steampowered.com/BitLockerToGo.exe, 00000002.00000002.2306840280.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.142.26
                        		eemmbryequo.shopUnited States
                        		13335CLOUDFLARENETUStrue
                        188.114.96.3
                        		reggwardssdqw.shopEuropean Union
                        		13335CLOUDFLARENETUStrue
                        104.21.25.77
                        		licenseodqwmqn.shopUnited States
                        		13335CLOUDFLARENETUStrue
                        104.21.42.156
                        		tesecuuweqo.shopUnited States
                        		13335CLOUDFLARENETUStrue
                        104.21.64.138
                        		relaxatinownio.shopUnited States
                        		13335CLOUDFLARENETUStrue
                        172.67.176.113
                        		tryyudjasudqo.shopUnited States
                        		13335CLOUDFLARENETUStrue
                        172.67.218.144
                        		keennylrwmqlw.shopUnited States
                        		13335CLOUDFLARENETUStrue
                        172.67.178.226
                        		tendencctywop.shopUnited States
                        		13335CLOUDFLARENETUStrue
                        23.50.98.133
                        		steamcommunity.comUnited States
                        		16625AKAMAI-ASUSfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1513451
                        Start date and time:2024-09-18 20:47:09 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 8s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@3/0@10/9
                        EGA Information:
                        • Successful, ratio: 50%
                        HCA Information:
                        • Successful, ratio: 77%
                        • Number of executed functions: 8
                        • Number of non-executed functions: 108
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target file.exe, PID 4464 because there are no executed function
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:48:16API Interceptor3x Sleep call for process: BitLockerToGo.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        172.67.142.26file.exeGet hashmaliciousLummaC, VidarBrowse
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                            file.exeGet hashmaliciousLummaCBrowse
                              188.114.96.3QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                              • filetransfer.io/data-package/iRfhkrSI/download
                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                              • filetransfer.io/data-package/uqqJaZdf/download
                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                              • filetransfer.io/data-package/iRfhkrSI/download
                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                              • filetransfer.io/data-package/uqqJaZdf/download
                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                              • filetransfer.io/data-package/TX2daF45/download
                              QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                              • filetransfer.io/data-package/KiyXDELa/download
                              QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                              • filetransfer.io/data-package/HEI5yJ7U/download
                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                              • filetransfer.io/data-package/mCJwtLTf/download
                              QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                              • filetransfer.io/data-package/CDHabJ7n/download
                              QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • filetransfer.io/data-package/OXm7Z8mP/download
                              104.21.25.77file.exeGet hashmaliciousLummaC, VidarBrowse
                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                    file.exeGet hashmaliciousLummaCBrowse
                                      https://freexxxth.linkGet hashmaliciousUnknownBrowse
                                        104.21.42.156log-analyzer.exeGet hashmaliciousLummaC, MicroClipBrowse
                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                            file.exeGet hashmaliciousLummaCBrowse
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                file.exeGet hashmaliciousLummaCBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  tryyudjasudqo.shoplog-analyzer.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                  • 172.67.176.113
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.176.113
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 104.21.48.36
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.176.113
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.48.36
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.176.113
                                                  steamcommunity.comlog-analyzer.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                  • 23.197.127.21
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 23.199.218.33
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 23.197.127.21
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 23.192.247.89
                                                  https://u.to/UKDgIAGet hashmaliciousUnknownBrowse
                                                  • 23.192.247.89
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 23.192.247.89
                                                  SecuriteInfo.com.Win32.Evo-gen.479.14310.exeGet hashmaliciousLummaCBrowse
                                                  • 23.192.247.89
                                                  SecuriteInfo.com.Win32.MalwareX-gen.19973.16297.exeGet hashmaliciousLummaCBrowse
                                                  • 23.67.133.187
                                                  ctEj2vV40S.exeGet hashmaliciousLummaCBrowse
                                                  • 23.197.127.21
                                                  Bootstraper.exeGet hashmaliciousLummaCBrowse
                                                  • 23.197.127.21
                                                  tesecuuweqo.shoplog-analyzer.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                  • 104.21.42.156
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.206.149
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 104.21.42.156
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.206.149
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.42.156
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 172.67.206.149
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 104.21.42.156
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.206.149
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.42.156
                                                  keennylrwmqlw.shoplog-analyzer.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                  • 104.21.86.109
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 104.21.86.109
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.218.144
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.218.144
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.86.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 104.21.86.109
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 104.21.86.109
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.218.144
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.218.144
                                                  reggwardssdqw.shoplog-analyzer.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUShttp://lixowaste.comGet hashmaliciousUnknownBrowse
                                                  • 1.1.1.1
                                                  Signed_Revised_Contract_See also 19_Lgunning_Carisls_Required_Signature.pdfGet hashmaliciousUnknownBrowse
                                                  • 162.159.61.3
                                                  Williams Raveis Share 09.25.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.21.18.53
                                                  https://kmk.xisonsory.com/eYiToJ/Get hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wfla.com/news/hillsborough-county/missing-hillsborough-teen-found-in-south-florida-with-38-year-old-man-she-met-online/&ct=ga&cd=CAEYACoTNzgzMTk0ODc2Nzc1OTQ3Nzc4OTIaNGI1MjA2MjQ3N2RkZDg4ODpjb206ZW46VVM&usg=AOvVaw2tJoLdBv4xAx70UwuSGwkbGet hashmaliciousUnknownBrowse
                                                  • 172.64.151.101
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/m%C2%ADd%C2%ADra%C2%ADrq%C2%ADu%C2%ADit%C2%AD%C2%ADec%C2%ADt%C2%ADu%C2%ADr%C2%ADa%C2%AD.%C2%ADc%C2%ADom/xsGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  https://lookerstudio.google.com/reporting/58190778-d174-4b53-a0d1-7d108bb50bb0/page/fKg7DGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.97.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://we-ha.com/10th-anniversary-best-of-west-hartford-celebration-to-include-dancing-with-the-stars-competition/&ct=ga&cd=CAEYACoTNTkyNjQ3ODI2ODc3NzAwMTQzMDIaMTdiNzMwYzc3Yjc2YWM0NDpjb206ZW46VVM&usg=AOvVaw05FWhSEtv9_-HDejBgNYhbGet hashmaliciousUnknownBrowse
                                                  • 104.22.75.216
                                                  PO#180924.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wistv.com/2024/09/18/how-register-vote-sc/&ct=ga&cd=CAEYACoUMTE1ODk5MTgyNjc5Mjk4MDkxNDYyHGQ3YWE0YjIyZjk5ZTBkYTg6Y29tOmVuOlVTOlI&usg=AOvVaw2u71nyB5_za_kch4LRgAMuGet hashmaliciousUnknownBrowse
                                                  • 104.16.103.112
                                                  CLOUDFLARENETUShttp://lixowaste.comGet hashmaliciousUnknownBrowse
                                                  • 1.1.1.1
                                                  Signed_Revised_Contract_See also 19_Lgunning_Carisls_Required_Signature.pdfGet hashmaliciousUnknownBrowse
                                                  • 162.159.61.3
                                                  Williams Raveis Share 09.25.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.21.18.53
                                                  https://kmk.xisonsory.com/eYiToJ/Get hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wfla.com/news/hillsborough-county/missing-hillsborough-teen-found-in-south-florida-with-38-year-old-man-she-met-online/&ct=ga&cd=CAEYACoTNzgzMTk0ODc2Nzc1OTQ3Nzc4OTIaNGI1MjA2MjQ3N2RkZDg4ODpjb206ZW46VVM&usg=AOvVaw2tJoLdBv4xAx70UwuSGwkbGet hashmaliciousUnknownBrowse
                                                  • 172.64.151.101
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/m%C2%ADd%C2%ADra%C2%ADrq%C2%ADu%C2%ADit%C2%AD%C2%ADec%C2%ADt%C2%ADu%C2%ADr%C2%ADa%C2%AD.%C2%ADc%C2%ADom/xsGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  https://lookerstudio.google.com/reporting/58190778-d174-4b53-a0d1-7d108bb50bb0/page/fKg7DGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.97.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://we-ha.com/10th-anniversary-best-of-west-hartford-celebration-to-include-dancing-with-the-stars-competition/&ct=ga&cd=CAEYACoTNTkyNjQ3ODI2ODc3NzAwMTQzMDIaMTdiNzMwYzc3Yjc2YWM0NDpjb206ZW46VVM&usg=AOvVaw05FWhSEtv9_-HDejBgNYhbGet hashmaliciousUnknownBrowse
                                                  • 104.22.75.216
                                                  PO#180924.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wistv.com/2024/09/18/how-register-vote-sc/&ct=ga&cd=CAEYACoUMTE1ODk5MTgyNjc5Mjk4MDkxNDYyHGQ3YWE0YjIyZjk5ZTBkYTg6Y29tOmVuOlVTOlI&usg=AOvVaw2u71nyB5_za_kch4LRgAMuGet hashmaliciousUnknownBrowse
                                                  • 104.16.103.112
                                                  CLOUDFLARENETUShttp://lixowaste.comGet hashmaliciousUnknownBrowse
                                                  • 1.1.1.1
                                                  Signed_Revised_Contract_See also 19_Lgunning_Carisls_Required_Signature.pdfGet hashmaliciousUnknownBrowse
                                                  • 162.159.61.3
                                                  Williams Raveis Share 09.25.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.21.18.53
                                                  https://kmk.xisonsory.com/eYiToJ/Get hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wfla.com/news/hillsborough-county/missing-hillsborough-teen-found-in-south-florida-with-38-year-old-man-she-met-online/&ct=ga&cd=CAEYACoTNzgzMTk0ODc2Nzc1OTQ3Nzc4OTIaNGI1MjA2MjQ3N2RkZDg4ODpjb206ZW46VVM&usg=AOvVaw2tJoLdBv4xAx70UwuSGwkbGet hashmaliciousUnknownBrowse
                                                  • 172.64.151.101
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/m%C2%ADd%C2%ADra%C2%ADrq%C2%ADu%C2%ADit%C2%AD%C2%ADec%C2%ADt%C2%ADu%C2%ADr%C2%ADa%C2%AD.%C2%ADc%C2%ADom/xsGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  https://lookerstudio.google.com/reporting/58190778-d174-4b53-a0d1-7d108bb50bb0/page/fKg7DGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.97.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://we-ha.com/10th-anniversary-best-of-west-hartford-celebration-to-include-dancing-with-the-stars-competition/&ct=ga&cd=CAEYACoTNTkyNjQ3ODI2ODc3NzAwMTQzMDIaMTdiNzMwYzc3Yjc2YWM0NDpjb206ZW46VVM&usg=AOvVaw05FWhSEtv9_-HDejBgNYhbGet hashmaliciousUnknownBrowse
                                                  • 104.22.75.216
                                                  PO#180924.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wistv.com/2024/09/18/how-register-vote-sc/&ct=ga&cd=CAEYACoUMTE1ODk5MTgyNjc5Mjk4MDkxNDYyHGQ3YWE0YjIyZjk5ZTBkYTg6Y29tOmVuOlVTOlI&usg=AOvVaw2u71nyB5_za_kch4LRgAMuGet hashmaliciousUnknownBrowse
                                                  • 104.16.103.112
                                                  CLOUDFLARENETUShttp://lixowaste.comGet hashmaliciousUnknownBrowse
                                                  • 1.1.1.1
                                                  Signed_Revised_Contract_See also 19_Lgunning_Carisls_Required_Signature.pdfGet hashmaliciousUnknownBrowse
                                                  • 162.159.61.3
                                                  Williams Raveis Share 09.25.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.21.18.53
                                                  https://kmk.xisonsory.com/eYiToJ/Get hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wfla.com/news/hillsborough-county/missing-hillsborough-teen-found-in-south-florida-with-38-year-old-man-she-met-online/&ct=ga&cd=CAEYACoTNzgzMTk0ODc2Nzc1OTQ3Nzc4OTIaNGI1MjA2MjQ3N2RkZDg4ODpjb206ZW46VVM&usg=AOvVaw2tJoLdBv4xAx70UwuSGwkbGet hashmaliciousUnknownBrowse
                                                  • 172.64.151.101
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/m%C2%ADd%C2%ADra%C2%ADrq%C2%ADu%C2%ADit%C2%AD%C2%ADec%C2%ADt%C2%ADu%C2%ADr%C2%ADa%C2%AD.%C2%ADc%C2%ADom/xsGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  https://lookerstudio.google.com/reporting/58190778-d174-4b53-a0d1-7d108bb50bb0/page/fKg7DGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.97.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://we-ha.com/10th-anniversary-best-of-west-hartford-celebration-to-include-dancing-with-the-stars-competition/&ct=ga&cd=CAEYACoTNTkyNjQ3ODI2ODc3NzAwMTQzMDIaMTdiNzMwYzc3Yjc2YWM0NDpjb206ZW46VVM&usg=AOvVaw05FWhSEtv9_-HDejBgNYhbGet hashmaliciousUnknownBrowse
                                                  • 104.22.75.216
                                                  PO#180924.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  https://www.google.com/url?rct=j&sa=t&url=https://www.wistv.com/2024/09/18/how-register-vote-sc/&ct=ga&cd=CAEYACoUMTE1ODk5MTgyNjc5Mjk4MDkxNDYyHGQ3YWE0YjIyZjk5ZTBkYTg6Y29tOmVuOlVTOlI&usg=AOvVaw2u71nyB5_za_kch4LRgAMuGet hashmaliciousUnknownBrowse
                                                  • 104.16.103.112

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousSmokeLoaderBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  log-analyzer.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousSmokeLoaderBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.142.26
                                                  • 188.114.96.3
                                                  • 104.21.25.77
                                                  • 104.21.42.156
                                                  • 104.21.64.138
                                                  • 172.67.176.113
                                                  • 172.67.218.144
                                                  • 172.67.178.226
                                                  • 23.50.98.133

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):5.747255304083361
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:file.exe
                                                  File size:11'207'680 bytes
                                                  MD5:5fb5e099087ca0db68f8d58ae7555949
                                                  SHA1:caafb9713225e958041183455c1113d2018b9879
                                                  SHA256:f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353
                                                  SHA512:307af716a5fd9ce4c01fcc72618595867c167c8de26c4727fd4595e444fa15af9ae8ddcaf35809effc3148552fb166c57a0dd35e38e2082cb29559b6d90b1116
                                                  SSDEEP:98304:zqF4Ro3roj2EwF0dnRR5hIiP0nvYKZBnYB:pawOwH0w
                                                  TLSH:4FB62950FAC745F2D9830971505BB26F5B345E058B28CB8BFA1C7F5AFA376922833219
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................E.........pM.......`....@.......................................@................................

                                                  File Icon

                                                  Icon Hash:0f33716d6931170e

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x474d70
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:6
                                                  OS Version Minor:1
                                                  File Version Major:6
                                                  File Version Minor:1
                                                  Subsystem Version Major:6
                                                  Subsystem Version Minor:1
                                                  Import Hash:1aae8bf580c846f39c71c05898e57e88

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp 00007F2285348DF0h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  sub esp, 28h
                                                  mov dword ptr [esp+1Ch], ebx
                                                  mov dword ptr [esp+10h], ebp
                                                  mov dword ptr [esp+14h], esi
                                                  mov dword ptr [esp+18h], edi
                                                  mov dword ptr [esp], eax
                                                  mov dword ptr [esp+04h], ecx
                                                  call 00007F22853249F6h
                                                  mov eax, dword ptr [esp+08h]
                                                  mov edi, dword ptr [esp+18h]
                                                  mov esi, dword ptr [esp+14h]
                                                  mov ebp, dword ptr [esp+10h]
                                                  mov ebx, dword ptr [esp+1Ch]
                                                  add esp, 28h
                                                  retn 0004h
                                                  ret
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  sub esp, 08h
                                                  mov ecx, dword ptr [esp+0Ch]
                                                  mov edx, dword ptr [ecx]
                                                  mov eax, esp
                                                  mov dword ptr [edx+04h], eax
                                                  sub eax, 00010000h
                                                  mov dword ptr [edx], eax
                                                  add eax, 00000BA0h
                                                  mov dword ptr [edx+08h], eax
                                                  mov dword ptr [edx+0Ch], eax
                                                  lea edi, dword ptr [ecx+34h]
                                                  mov dword ptr [edx+18h], ecx
                                                  mov dword ptr [edi], edx
                                                  mov dword ptr [esp+04h], edi
                                                  call 00007F228534B244h
                                                  cld
                                                  call 00007F228534A2DEh
                                                  call 00007F2285348F19h
                                                  add esp, 08h
                                                  ret
                                                  jmp 00007F228534B0F0h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  mov ebx, dword ptr [esp+04h]
                                                  mov ebp, esp
                                                  mov dword ptr fs:[00000034h], 00000000h
                                                  mov ecx, dword ptr [ebx+04h]
                                                  cmp ecx, 00000000h
                                                  je 00007F228534B0F1h
                                                  mov eax, ecx
                                                  shl eax, 02h
                                                  sub esp, eax
                                                  mov edi, esp
                                                  mov esi, dword ptr [ebx+08h]
                                                  cld
                                                  rep movsd

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa7b0000x44c.idata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xabb0000x22d63.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa7c0000x3d434.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0xa06d800xb4.data
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x45ef880x45f0006e9e97bed830a1553f25bb4b4a9cf753unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x4600000x5a54400x5a56005caee83a28f348b99d2b2a2a7a6d5baeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xa060000x746000x4ae00bebd7a8699b3277374b0dd06e6e743d9False0.3748956594323873data5.303832181568399IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .idata0xa7b0000x44c0x6002f2e92726ed4de1a4faf46655c409dfeFalse0.3587239583333333OpenPGP Public Key3.8744962613812364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .reloc0xa7c0000x3d4340x3d600ffa83be37e1a75e5c7888d7483bd4641False0.5835587449083504data6.687308985355059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  .symtab0xaba0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xabb0000x22d630x22e0001637d64ba58b2cb97eb5abc53ca857eFalse0.34223790322580644data5.417895023566361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xabb3d00x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38170731707317074
                                                  RT_ICON0xabba380x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.4825268817204301
                                                  RT_ICON0xabbd200x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5204918032786885
                                                  RT_ICON0xabbf080x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.543918918918919
                                                  RT_ICON0xabc0300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.47921108742004265
                                                  RT_ICON0xabced80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.48601083032490977
                                                  RT_ICON0xabd7800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.4349078341013825
                                                  RT_ICON0xabde480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3222543352601156
                                                  RT_ICON0xabe3b00x6217PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9968141451953327
                                                  RT_ICON0xac45c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.12236779841476399
                                                  RT_ICON0xad4df00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.1944969296173831
                                                  RT_ICON0xad90180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.25103734439834025
                                                  RT_ICON0xadb5c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.30651969981238275
                                                  RT_ICON0xadc6680x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.39139344262295084
                                                  RT_ICON0xadcff00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5301418439716312
                                                  RT_GROUP_ICON0xadd4580xd8data0.6157407407407407
                                                  RT_VERSION0xadd5300x368data0.43004587155963303
                                                  RT_MANIFEST0xadd8980x4cbXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4343928280358598

                                                  Imports

                                                  DLLImport
                                                  kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-09-18T20:48:17.471459+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704172.67.218.144443TCP
                                                  2024-09-18T20:48:17.471459+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704172.67.218.144443TCP
                                                  2024-09-18T20:48:18.456059+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705172.67.218.144443TCP
                                                  2024-09-18T20:48:18.456059+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705172.67.218.144443TCP
                                                  2024-09-18T20:48:19.524842+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549707104.21.25.77443TCP
                                                  2024-09-18T20:48:19.524842+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549707104.21.25.77443TCP
                                                  2024-09-18T20:48:20.649778+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549710172.67.178.226443TCP
                                                  2024-09-18T20:48:20.649778+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549710172.67.178.226443TCP
                                                  2024-09-18T20:48:21.621682+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549713104.21.42.156443TCP
                                                  2024-09-18T20:48:21.621682+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549713104.21.42.156443TCP
                                                  2024-09-18T20:48:22.997733+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549715104.21.64.138443TCP
                                                  2024-09-18T20:48:22.997733+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549715104.21.64.138443TCP
                                                  2024-09-18T20:48:23.977281+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549716188.114.96.3443TCP
                                                  2024-09-18T20:48:23.977281+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549716188.114.96.3443TCP
                                                  2024-09-18T20:48:25.044785+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549717172.67.142.26443TCP
                                                  2024-09-18T20:48:25.044785+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549717172.67.142.26443TCP
                                                  2024-09-18T20:48:26.034606+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549718172.67.176.113443TCP
                                                  2024-09-18T20:48:26.034606+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549718172.67.176.113443TCP
                                                  2024-09-18T20:48:27.401211+02002857974ETPRO MALWARE Observed DNS Query to Lumma Domain1192.168.2.5526861.1.1.153UDP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 18, 2024 20:48:16.499475002 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:16.499600887 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:16.499694109 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:16.501564980 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:16.501641989 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:16.980099916 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:16.980323076 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:16.984096050 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:16.984152079 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:16.984689951 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.028974056 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.028974056 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.029392958 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.471548080 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.471769094 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.472069025 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.474993944 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.474993944 CEST49704443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.475064993 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.475102901 CEST44349704172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.486397028 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.486448050 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.486525059 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.486911058 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.486918926 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.961307049 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.961395979 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.968482018 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.968498945 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.968823910 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:17.971874952 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.971895933 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:17.971952915 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:18.455981970 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:18.456195116 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:18.456271887 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:18.456418991 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:18.456444025 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:18.456454992 CEST49705443192.168.2.5172.67.218.144
                                                  Sep 18, 2024 20:48:18.456459999 CEST44349705172.67.218.144192.168.2.5
                                                  Sep 18, 2024 20:48:18.473989010 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:18.474087000 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:18.474210978 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:18.474575996 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:18.474613905 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:18.949342012 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:18.949547052 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:19.073683977 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:19.073720932 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.074716091 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.075992107 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:19.075992107 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:19.076385021 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.524748087 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.524934053 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.531466961 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.532743931 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:19.533166885 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:19.533168077 CEST49707443192.168.2.5104.21.25.77
                                                  Sep 18, 2024 20:48:19.533233881 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.533271074 CEST44349707104.21.25.77192.168.2.5
                                                  Sep 18, 2024 20:48:19.578666925 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:19.578686953 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:19.578759909 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:19.579148054 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:19.579161882 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.169392109 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.169467926 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:20.170905113 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:20.170913935 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.171427011 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.172683954 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:20.172740936 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:20.172883987 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.649704933 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.649905920 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.650001049 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:20.650152922 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:20.650152922 CEST49710443192.168.2.5172.67.178.226
                                                  Sep 18, 2024 20:48:20.650176048 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.650186062 CEST44349710172.67.178.226192.168.2.5
                                                  Sep 18, 2024 20:48:20.671365023 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:20.671416044 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:20.671489954 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:20.672697067 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:20.672708988 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.148540974 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.148732901 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:21.154926062 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:21.154978037 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.155522108 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.186942101 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:21.186942101 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:21.187211037 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.621531963 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.621630907 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.621738911 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:21.622360945 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:21.622389078 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.622405052 CEST49713443192.168.2.5104.21.42.156
                                                  Sep 18, 2024 20:48:21.622414112 CEST44349713104.21.42.156192.168.2.5
                                                  Sep 18, 2024 20:48:21.681530952 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:21.681591034 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:21.681664944 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:21.682235003 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:21.682252884 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.454930067 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.455003023 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:22.459501028 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:22.459532022 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.460025072 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.469485044 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:22.469520092 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:22.469752073 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.997612953 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.997715950 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.997771978 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:22.998398066 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:22.998433113 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:22.998446941 CEST49715443192.168.2.5104.21.64.138
                                                  Sep 18, 2024 20:48:22.998454094 CEST44349715104.21.64.138192.168.2.5
                                                  Sep 18, 2024 20:48:23.018696070 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:23.018732071 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.018807888 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:23.019294977 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:23.019308090 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.497040987 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.498828888 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:23.498828888 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:23.498877048 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.499368906 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.500543118 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:23.500543118 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:23.500752926 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.976733923 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.976950884 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:23.982017994 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:24.017894030 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:24.017894030 CEST49716443192.168.2.5188.114.96.3
                                                  Sep 18, 2024 20:48:24.017946005 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:24.017961025 CEST44349716188.114.96.3192.168.2.5
                                                  Sep 18, 2024 20:48:24.055777073 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:24.055874109 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:24.060065031 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:24.069741011 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:24.069818974 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:24.577044010 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:24.577389002 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:24.579107046 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:24.579161882 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:24.579695940 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:24.581015110 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:24.581015110 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:24.581198931 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:25.044517040 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:25.044620991 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:25.044958115 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:25.045295954 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:25.045295954 CEST49717443192.168.2.5172.67.142.26
                                                  Sep 18, 2024 20:48:25.045366049 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:25.045403004 CEST44349717172.67.142.26192.168.2.5
                                                  Sep 18, 2024 20:48:25.106646061 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:25.106693983 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:25.106960058 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:25.107160091 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:25.107177973 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:25.579284906 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:25.579505920 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:25.581239939 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:25.581294060 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:25.581876993 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:25.583311081 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:25.583312035 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:25.583554983 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:26.034564018 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:26.034802914 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:26.035001040 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:26.035049915 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:26.035073996 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:26.035090923 CEST49718443192.168.2.5172.67.176.113
                                                  Sep 18, 2024 20:48:26.035099030 CEST44349718172.67.176.113192.168.2.5
                                                  Sep 18, 2024 20:48:26.044840097 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:26.044929981 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:26.045042038 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:26.045463085 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:26.045531988 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:26.730053902 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:26.730149031 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:26.731997967 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:26.732028008 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:26.732558012 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:26.734181881 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:26.779407978 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.294189930 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.294255972 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.294403076 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.294533014 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.294533014 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.294600010 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.294689894 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.383109093 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.383179903 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.383208990 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.383249998 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.383296967 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.399318933 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.399382114 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.399461985 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.399501085 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.399564981 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.399574995 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.399633884 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.399676085 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.399677038 CEST49719443192.168.2.523.50.98.133
                                                  Sep 18, 2024 20:48:27.399709940 CEST4434971923.50.98.133192.168.2.5
                                                  Sep 18, 2024 20:48:27.399732113 CEST4434971923.50.98.133192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 18, 2024 20:48:16.480066061 CEST5331853192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:16.492880106 CEST53533181.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:18.457868099 CEST5282153192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:18.473041058 CEST53528211.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:19.555618048 CEST6532353192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:19.577725887 CEST53653231.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:20.652106047 CEST5745053192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:20.670461893 CEST53574501.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:21.625896931 CEST5461853192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:21.642545938 CEST53546181.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:23.001789093 CEST6539753192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:23.017899036 CEST53653971.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:24.019639015 CEST5411953192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:24.038846016 CEST53541191.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:25.087706089 CEST5741753192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:25.105817080 CEST53574171.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:26.036457062 CEST5484353192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:26.043987036 CEST53548431.1.1.1192.168.2.5
                                                  Sep 18, 2024 20:48:27.401211023 CEST5268653192.168.2.51.1.1.1
                                                  Sep 18, 2024 20:48:27.412663937 CEST53526861.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Sep 18, 2024 20:48:16.480066061 CEST192.168.2.51.1.1.10xbad4Standard query (0)keennylrwmqlw.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:18.457868099 CEST192.168.2.51.1.1.10x5773Standard query (0)licenseodqwmqn.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:19.555618048 CEST192.168.2.51.1.1.10x4ab8Standard query (0)tendencctywop.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:20.652106047 CEST192.168.2.51.1.1.10x89c0Standard query (0)tesecuuweqo.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:21.625896931 CEST192.168.2.51.1.1.10x4e86Standard query (0)relaxatinownio.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:23.001789093 CEST192.168.2.51.1.1.10x4a7cStandard query (0)reggwardssdqw.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:24.019639015 CEST192.168.2.51.1.1.10x9211Standard query (0)eemmbryequo.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:25.087706089 CEST192.168.2.51.1.1.10x4babStandard query (0)tryyudjasudqo.shopA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:26.036457062 CEST192.168.2.51.1.1.10x388cStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:27.401211023 CEST192.168.2.51.1.1.10xbb5eStandard query (0)tenntysjuxmz.shopA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Sep 18, 2024 20:48:16.492880106 CEST1.1.1.1192.168.2.50xbad4No error (0)keennylrwmqlw.shop172.67.218.144A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:16.492880106 CEST1.1.1.1192.168.2.50xbad4No error (0)keennylrwmqlw.shop104.21.86.109A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:18.473041058 CEST1.1.1.1192.168.2.50x5773No error (0)licenseodqwmqn.shop104.21.25.77A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:18.473041058 CEST1.1.1.1192.168.2.50x5773No error (0)licenseodqwmqn.shop172.67.223.248A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:19.577725887 CEST1.1.1.1192.168.2.50x4ab8No error (0)tendencctywop.shop172.67.178.226A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:19.577725887 CEST1.1.1.1192.168.2.50x4ab8No error (0)tendencctywop.shop104.21.17.244A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:20.670461893 CEST1.1.1.1192.168.2.50x89c0No error (0)tesecuuweqo.shop104.21.42.156A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:20.670461893 CEST1.1.1.1192.168.2.50x89c0No error (0)tesecuuweqo.shop172.67.206.149A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:21.642545938 CEST1.1.1.1192.168.2.50x4e86No error (0)relaxatinownio.shop104.21.64.138A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:21.642545938 CEST1.1.1.1192.168.2.50x4e86No error (0)relaxatinownio.shop172.67.151.53A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:23.017899036 CEST1.1.1.1192.168.2.50x4a7cNo error (0)reggwardssdqw.shop188.114.96.3A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:23.017899036 CEST1.1.1.1192.168.2.50x4a7cNo error (0)reggwardssdqw.shop188.114.97.3A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:24.038846016 CEST1.1.1.1192.168.2.50x9211No error (0)eemmbryequo.shop172.67.142.26A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:24.038846016 CEST1.1.1.1192.168.2.50x9211No error (0)eemmbryequo.shop104.21.39.11A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:25.105817080 CEST1.1.1.1192.168.2.50x4babNo error (0)tryyudjasudqo.shop172.67.176.113A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:25.105817080 CEST1.1.1.1192.168.2.50x4babNo error (0)tryyudjasudqo.shop104.21.48.36A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:26.043987036 CEST1.1.1.1192.168.2.50x388cNo error (0)steamcommunity.com23.50.98.133A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 20:48:27.412663937 CEST1.1.1.1192.168.2.50xbb5eName error (3)tenntysjuxmz.shopnonenoneA (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • keennylrwmqlw.shop
                                                  • licenseodqwmqn.shop
                                                  • tendencctywop.shop
                                                  • tesecuuweqo.shop
                                                  • relaxatinownio.shop
                                                  • reggwardssdqw.shop
                                                  • eemmbryequo.shop
                                                  • tryyudjasudqo.shop
                                                  • steamcommunity.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549704172.67.218.1444437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:17 UTC265OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: keennylrwmqlw.shop
                                                  2024-09-18 18:48:17 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:17 UTC804INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:17 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=2nt017uvhfuudv99mqrpmf27ra; expires=Sun, 12 Jan 2025 12:34:56 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mrLSMunj9N6fHIQqCy3vHZn5YYWWWUQywJ3MqTaD7GzSMYiBp7J2qmazZlQvMXRErxb%2BR9YN9KIKlQdRKniUpsepnrJYiM%2Fci%2FKVMCkWO%2FSpnWx0Vie4QFyQjX2Am9UtG2QV19U%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c538262ba620f8b-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:17 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.549705172.67.218.1444437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:17 UTC265OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: keennylrwmqlw.shop
                                                  2024-09-18 18:48:17 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:18 UTC804INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:18 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=t8s6n5obengb3b6tf72kgv1frv; expires=Sun, 12 Jan 2025 12:34:57 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BLh9BVCtZ4QzdCktHBIcEiUDBQWkREAqq%2BAkw14WgjsRVMX9eqzxW%2BY8r0Deqrqo68uuggPBy4TozdLi3igoz8jMdoGxVz%2BAQcsPJFz%2Fo92S54CT6BY1UuLwaa1NP4gsKkgjH5Y%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c538268de1dc448-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:18 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.549707104.21.25.774437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:19 UTC266OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: licenseodqwmqn.shop
                                                  2024-09-18 18:48:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:19 UTC796INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:19 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=8tlrm3sf682697km5k75ubck8o; expires=Sun, 12 Jan 2025 12:34:58 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l4jdapu0XWqDiGNuXurQBmoH3EEBBJwF1wnUjJIy7Y1kc1DYgwdXQUx0PNg1oyP5%2FN0UkN4FsJtjOc8I2BJXhkc7bUrdTgVzaaSVKT2NmD7U4ONpzV3ZjOjpvqGwQ0xLFBGA6JVa"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c53826f8b384327-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:19 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.549710172.67.178.2264437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:20 UTC265OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: tendencctywop.shop
                                                  2024-09-18 18:48:20 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:20 UTC804INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:20 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=d3q7rcbfas409o45pfhkg50ar1; expires=Sun, 12 Jan 2025 12:34:59 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NLijvgeB6%2FmZnL%2BqF1fQplGIlK%2Fr7UWVjmV1qAMZx1BJwKUaq2b06YQRZWdFjTsIKaCNxnvBIXfEoaaI2vWkdaEUeQSqqglfch16yiBEJ%2FvkcHKD03NaJdsrUWbuxB9OVXvhVIc%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c5382767e8f4201-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:20 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.549713104.21.42.1564437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:21 UTC263OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: tesecuuweqo.shop
                                                  2024-09-18 18:48:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:21 UTC800INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:21 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=kp0uo8rsvs1785crolfile7dh4; expires=Sun, 12 Jan 2025 12:35:00 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0hdpyqro9O3ZRQ9qI5qsdw5mTuRZaK7VYBbR%2B8JbDWss7Lf56rrmiHUVNNE%2B2vBxLvU6Zkfpq8cxPIONfKQaL%2FbJ78Gw3Ib7Es3%2BkjTAzH1Z4INjSjpzBLidbV%2FusYP6lscQ"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c53827cbea01962-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:21 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.549715104.21.64.1384437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:22 UTC266OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: relaxatinownio.shop
                                                  2024-09-18 18:48:22 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:22 UTC806INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:22 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=gngbljqrgb2aqand7rp4l5kqtr; expires=Sun, 12 Jan 2025 12:35:01 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gNvKiaB%2BIIZLIdVgZb4VkYsCx7MKA6SfNbxYh%2BC51YCv%2FO72lpGIqOfgyRy5qUQLZyWL1yxDquOr4IaWHr%2BmLcEbHQk%2B4dOF20lDmO14ZM8Sie5i6gRI9MYHtZBGMCII3HdUakV%2B"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c538284bbe141fe-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:22 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.549716188.114.96.34437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:23 UTC265OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: reggwardssdqw.shop
                                                  2024-09-18 18:48:23 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:23 UTC804INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:23 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=fm3j9mgb9k9k2ql1qpuqopfb5j; expires=Sun, 12 Jan 2025 12:35:02 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PFNWxjcDjuD6WjNJD21w%2BIsoNxsRisGlpoZhyyLTBDXbXaD0M5q7cLq388VSfj%2FxI0DcOmpfb8ZIOG14S25YlpXER87hNxW%2BoAIy0ChB3DL0nEjk0RB3nn06x7Vl01gV8g%2FhwO8%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c53828b5faa435b-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:23 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.549717172.67.142.264437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:24 UTC263OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: eemmbryequo.shop
                                                  2024-09-18 18:48:24 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:25 UTC794INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:24 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=vi8r2j5meb0oopsv1ltb319dp4; expires=Sun, 12 Jan 2025 12:35:03 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sDA7xtXoasF5CwOcV8flCf0yGINC02dkpRWpPZ3qA8qwohAEsumuPOTkHAzNbMCS41qQjJ7NgWDkFcuxOG%2BgrCSH1wQTBzpzU5AD5GzYy8ppJLm%2B3AkNJXiubpIvzNguJZD9"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c5382920a064237-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:25 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.549718172.67.176.1134437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:25 UTC265OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: tryyudjasudqo.shop
                                                  2024-09-18 18:48:25 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-09-18 18:48:26 UTC814INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 18:48:25 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=4et8aq19vkuujqppajuu0rs7bv; expires=Sun, 12 Jan 2025 12:35:04 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vbqFf1jeU%2B8Eeh1sOUwMP5UwEH%2F3jPFWutvFdLe0sA3B96IYe%2Bvq6%2BxemcCoNw%2FtN17biIEN5YzuYMCqT%2FF%2Fg4t07jtWGly%2Fj1Xbz%2Fd9MtmBCaamBnUOkooFqGTmhnteINIYEts%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c5382984e7f0f3e-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 18:48:26 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                  Data Ascii: aerror #D12
                                                  2024-09-18 18:48:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.54971923.50.98.1334437032C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 18:48:26 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                  Connection: Keep-Alive
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Host: steamcommunity.com
                                                  2024-09-18 18:48:27 UTC1870INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                  Cache-Control: no-cache
                                                  Date: Wed, 18 Sep 2024 18:48:27 GMT
                                                  Content-Length: 34678
                                                  Connection: close
                                                  Set-Cookie: sessionid=a80d88982ad2e5c01d8b36b2; Path=/; Secure; SameSite=None
                                                  Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                  2024-09-18 18:48:27 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                  2024-09-18 18:48:27 UTC10062INData Raw: 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f
                                                  Data Ascii: ss': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_actio
                                                  2024-09-18 18:48:27 UTC10102INData Raw: 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6f 6d 6d 75 6e 69 74
                                                  Data Ascii: t;,&quot;COMMUNITY_CDN_ASSET_URL&quot;:&quot;https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/&quot;,&quot;STORE_CDN_URL&quot;:&quot;https:\/\/store.akamai.steamstatic.com\/&quot;,&quot;PUBLIC_SHARED_URL&quot;:&quot;https:\/\/communit


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:14:48:02
                                                  Start date:18/09/2024
                                                  Path:C:\Users\user\Desktop\file.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                  Imagebase:0xeb0000
                                                  File size:11'207'680 bytes
                                                  MD5 hash:5FB5E099087CA0DB68F8D58AE7555949
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:14:48:09
                                                  Start date:18/09/2024
                                                  Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                  Imagebase:0x9b0000
                                                  File size:231'736 bytes
                                                  MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:1.1%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:4.5%
                                                    Total number of Nodes:22
                                                    Total number of Limit Nodes:3
                                                    execution_graph 18611 40cef0 18612 40cef9 18611->18612 18613 40cf01 GetInputState 18612->18613 18614 40d148 ExitProcess 18612->18614 18615 40cf0e 18613->18615 18616 40d143 18615->18616 18617 40cf16 GetCurrentThreadId GetCurrentProcessId 18615->18617 18624 440fa0 18616->18624 18619 40cf41 18617->18619 18619->18616 18623 411360 CoInitialize 18619->18623 18627 442640 18624->18627 18626 440fa5 FreeLibrary 18626->18614 18628 442649 18627->18628 18628->18626 18629 43e532 RtlAllocateHeap 18630 44173d 18632 44176a 18630->18632 18631 4417d2 18632->18631 18634 4410b0 LdrInitializeThunk 18632->18634 18634->18631 18607 43e568 18608 43e612 RtlFreeHeap 18607->18608 18609 43e618 18607->18609 18610 43e574 18607->18610 18608->18609 18610->18608

                                                    Executed Functions

                                                    Function 004106EC Relevance: 5.3, Strings: 4, Instructions: 305COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 59 4106ec-4106f1 60 4106f8-410703 59->60 61 410748-410761 59->61 62 41042a-410452 59->62 63 41070a 60->63 61->60 61->61 64 4105c6-4105e8 61->64 65 4104a8-4104ca 61->65 66 4106ea 61->66 69 410459-410462 62->69 87 410714 63->87 67 41062b-410662 64->67 68 4105ea 64->68 74 410511-410548 65->74 75 4104cc-4104cf 65->75 66->59 72 410664 67->72 73 4106cc-4106e5 67->73 71 4105f0-410629 68->71 76 4101e0 69->76 77 410230-41023b call 440fc0 69->77 78 4102a2-4102b1 69->78 79 4101f5-410208 69->79 80 410215-410223 call 440fc0 69->80 81 410244-41024b 69->81 82 410487 69->82 83 410496-4104a0 69->83 84 4102b6-4102c4 69->84 85 410469-410480 69->85 86 41020f 69->86 71->67 71->71 93 410670-4106ca 72->93 73->66 96 4105ab-4105ba 74->96 97 41054a 74->97 94 4104d0-41050f 75->94 90 4101e4-4101e5 76->90 77->81 78->76 78->84 79->77 79->80 79->81 79->84 79->86 80->77 81->84 88 4102cb 81->88 89 4102cf 81->89 98 410290-410295 81->98 99 410252-41027a 81->99 100 41029c 81->100 101 410491 82->101 83->63 84->88 84->89 85->76 85->77 85->78 85->79 85->80 85->81 85->82 85->83 85->84 85->86 86->80 103 41071e-410722 87->103 88->89 89->82 109 4101ef 90->109 93->73 93->93 94->74 94->94 110 4105c0 96->110 108 410550-4105a9 97->108 98->84 98->88 98->89 98->100 99->84 99->88 99->89 99->98 99->100 101->63 112 410725 103->112 108->96 108->108 109->109 110->110 112->112
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: lS$lS$f$f
                                                    • API String ID: 0-1719000599
                                                    • Opcode ID: 5fd0b2289e35c7273666bb133459fd63312584f20ac008adbc3ce9745a1e3b9b
                                                    • Instruction ID: 8f34b214da532c0b6091c0e1cef0e56d6be549a7c08c9a985b8a54681b5e7982
                                                    • Opcode Fuzzy Hash: 5fd0b2289e35c7273666bb133459fd63312584f20ac008adbc3ce9745a1e3b9b
                                                    • Instruction Fuzzy Hash: BEB1B879108340DBD314DF14D950B2FBBF2EBC6710F05892CE685872A0DB79AC19CB9A
                                                    Function 0040F80C Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 113 40f80c-40f811 114 40f818-40f81a 113->114 115 40f81f-40fa0f 113->115 116 40fcc2-40fcc9 114->116 117 40fa11 115->117 118 40fa4f-40fa6f 115->118 119 40fa20-40fa4d 117->119 121 40fb20 118->121 122 40fb40-40fb42 118->122 123 40fd82-40fd8b 118->123 124 40fc63 118->124 125 40fb44-40fb5a 118->125 126 40fc75-40fc81 118->126 127 40fa76-40faf8 call 40c7c0 118->127 128 40fb26-40fb39 118->128 129 40fddc-40fde8 118->129 130 40fcad-40fcbf 118->130 131 40fdcd-40fdd9 118->131 132 40faff-40fb06 118->132 119->118 119->119 144 40fbaa-40fbd1 122->144 134 40fd30 123->134 135 40fd92-40fda4 123->135 136 40fd66-40fd7d 123->136 137 40fd26-40fd2f 123->137 138 40fcca-40fccf 123->138 139 40fdab 123->139 140 40fd3c-40fd5f 123->140 141 40fd1d 123->141 142 40fc6f 123->142 143 40fcff-40fd16 call 440fc0 123->143 124->142 145 40fba8 125->145 146 40fb5c-40fb5f 125->146 154 40fc8a-40fc91 126->154 127->121 127->122 127->123 127->124 127->125 127->126 127->128 127->129 127->131 127->132 128->122 128->123 128->124 128->125 128->126 128->129 128->131 155 40fdeb 129->155 130->116 131->129 132->121 134->140 135->134 135->136 135->137 135->138 135->139 135->140 135->141 135->142 135->143 147 40fcd9-40fcdd 136->147 137->134 138->126 138->130 138->142 150 40fdc0-40fdc7 138->150 151 40fca0-40fca7 138->151 152 40fdb4-40fdbb 138->152 153 40fcd6 138->153 138->154 139->152 140->126 140->130 140->136 140->142 140->150 140->151 140->152 140->153 140->154 141->137 143->134 143->137 143->138 143->140 143->141 158 40fbd3 144->158 159 40fc3b-40fc5c 144->159 145->144 157 40fb60-40fba6 146->157 170 40fce4-40fcf8 147->170 150->131 151->130 152->150 153->147 154->151 155->155 157->145 157->157 160 40fbe0-40fc39 158->160 159->123 159->124 159->126 159->129 159->131 160->159 160->160 170->134 170->137 170->138 170->140 170->141 170->142 170->143
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: !%$#4$+(
                                                    • API String ID: 0-3417874192
                                                    • Opcode ID: 8897ff55ee7a627fd2ade94ae8ff1ea87ddbf6626c5447caec360db777ef6479
                                                    • Instruction ID: e3c1e70b24a45f6c60137d5986152daecda2c0353a18b26fa1e13f879c734766
                                                    • Opcode Fuzzy Hash: 8897ff55ee7a627fd2ade94ae8ff1ea87ddbf6626c5447caec360db777ef6479
                                                    • Instruction Fuzzy Hash: A2F114B5200B02EFD324CF25D890756BBB1FB46714F148A2DD5AA8BBA0D734E865CF94
                                                    Function 004104AD Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 192 4104ad-4104ca 193 410511-410548 192->193 194 4104cc-4104cf 192->194 196 4105ab-4105ba 193->196 197 41054a 193->197 195 4104d0-41050f 194->195 195->193 195->195 199 4105c0 196->199 198 410550-4105a9 197->198 198->196 198->198 199->199
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: lS$f
                                                    • API String ID: 0-1711747767
                                                    • Opcode ID: dc23599184ef4cc190c0beb7d935bc3b53346acedaaf35bf605992035dd5369b
                                                    • Instruction ID: 30b2c7af1357c9446f979e2f8654f1246127315123553435755b70ace2168017
                                                    • Opcode Fuzzy Hash: dc23599184ef4cc190c0beb7d935bc3b53346acedaaf35bf605992035dd5369b
                                                    • Instruction Fuzzy Hash: B33166756093409BD318DF04C99072FBBE3ABD1B11F15891CE6C517294C77AAC15CB9A
                                                    Function 004410B0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 208 4410b0-4410e2 LdrInitializeThunk
                                                    APIs
                                                    • LdrInitializeThunk.NTDLL(0044479F,005C003F,00000006,?,?,00000018,FCFDFEFF,?,?), ref: 004410DE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                    • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                    • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                    • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                    Function 004102EB Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 210 4102eb-410357 211 4103a3-4103ab 210->211 212 410359 210->212 214 4103d1-4103e0 211->214 215 4103ad-4103b5 211->215 213 410360-4103a1 212->213 213->211 213->213 217 4103e2-4103eb 214->217 218 410407 214->218 216 4103c0-4103cf 215->216 216->214 216->216 220 4103f0-410401 217->220 219 41040e-410426 218->219 223 41042a-410452 219->223 220->220 221 410403-410405 220->221 221->219 224 410459-410462 223->224 225 4101e0 224->225 226 410230-41023b call 440fc0 224->226 227 4102a2-4102b1 224->227 228 4101f5-410208 224->228 229 410215-410223 call 440fc0 224->229 230 410244-41024b 224->230 231 410487 224->231 232 410496-4104a0 224->232 233 4102b6-4102c4 224->233 234 410469-410480 224->234 235 41020f 224->235 238 4101e4-4101e5 225->238 226->230 227->225 227->233 228->226 228->229 228->230 228->233 228->235 229->226 230->233 236 4102cb 230->236 237 4102cf 230->237 242 410290-410295 230->242 243 410252-41027a 230->243 244 41029c 230->244 246 410491 231->246 245 41070a 232->245 233->236 233->237 234->225 234->226 234->227 234->228 234->229 234->230 234->231 234->232 234->233 234->235 235->229 236->237 237->231 251 4101ef 238->251 242->233 242->236 242->237 242->244 243->233 243->236 243->237 243->242 243->244 252 410714 245->252 246->245 251->251 254 41071e-410722 252->254 255 410725 254->255 255->255
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $#
                                                    • API String ID: 0-307659307
                                                    • Opcode ID: e85b7f5f74ab75af83fcea7a89a1f898eb46888ad190f144e6a24ce3c860a271
                                                    • Instruction ID: 260e321667f06d2377f6e2a9b6f865922d939719900b70815161cbc2a1e5daf9
                                                    • Opcode Fuzzy Hash: e85b7f5f74ab75af83fcea7a89a1f898eb46888ad190f144e6a24ce3c860a271
                                                    • Instruction Fuzzy Hash: 0B61CD74108345DFD7189F60E89166BB7F4FF86304F004A3DFA86862A0EB798D58DB5A
                                                    Function 0040CEF0 Relevance: 6.2, APIs: 4, Instructions: 183threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 27 40cef0-40cefb call 440250 30 40cf01-40cf10 GetInputState call 437bb0 27->30 31 40d148-40d14a ExitProcess 27->31 34 40d143 call 440fa0 30->34 35 40cf16-40cf3f GetCurrentThreadId GetCurrentProcessId 30->35 34->31 36 40cf41 35->36 37 40cf89-40cfad 35->37 39 40cf50-40cf87 36->39 40 40cff3-40cff5 37->40 41 40cfaf 37->41 39->37 39->39 43 40d0c9-40d0ed 40->43 44 40cffb-40d017 40->44 42 40cfb0-40cff1 41->42 42->40 42->42 45 40d130 call 40e2c0 43->45 46 40d0ef 43->46 47 40d060-40d085 44->47 48 40d019 44->48 53 40d135-40d137 45->53 49 40d0f0-40d12e 46->49 47->43 52 40d087 47->52 51 40d020-40d05e 48->51 49->45 49->49 51->47 51->51 54 40d090-40d0c7 52->54 53->34 55 40d139-40d13e call 411360 call 40fe00 53->55 54->43 54->54 55->34
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: CurrentProcess$ExitInputStateThread
                                                    • String ID:
                                                    • API String ID: 1029096631-0
                                                    • Opcode ID: 35c482d52480747201836f8f8f389531612a560187f6e45a10ee35ac2208428d
                                                    • Instruction ID: 8d934a93809fdfaf6ef6648aea0b9496998fdc048926ea23c69865b36a35035e
                                                    • Opcode Fuzzy Hash: 35c482d52480747201836f8f8f389531612a560187f6e45a10ee35ac2208428d
                                                    • Instruction Fuzzy Hash: D151467450C2409BD305EF29D090A1EBBE2EF95704F148D2EE5C8D73A2DB3AD856CB5A
                                                    Function 0043E568 Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 200 43e568-43e56d 201 43e612-43e616 RtlFreeHeap 200->201 202 43e610 200->202 203 43e574-43e591 200->203 204 43e618-43e61d 200->204 201->204 202->201 205 43e5f3-43e609 203->205 206 43e593 203->206 205->202 207 43e5a0-43e5f1 206->207 207->205 207->207
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(?,00000000), ref: 0043E616
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: c71e9044fb584d76eb58e97eccab8ce6af4707b830a7b63e18817ed4fa84206c
                                                    • Instruction ID: ba67fb7d3f3fa2703c682ca9ffecff815d7a16a28ec38ea6b53d580cece07862
                                                    • Opcode Fuzzy Hash: c71e9044fb584d76eb58e97eccab8ce6af4707b830a7b63e18817ed4fa84206c
                                                    • Instruction Fuzzy Hash: 791191796192109FD318DF15C560A6AB7E6EBC9314F45CA5CC9C903395CB34AC12CA85
                                                    Function 0043E532 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 209 43e532-43e53c RtlAllocateHeap
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(?,00000000), ref: 0043E536
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 0b33f483e78cec012c42ec05538e54b6767d6653dfbd5f8c50e5434af4dbc859
                                                    • Instruction ID: 9283e65a574c8a2ab941d01f97749e67fa4198aebfdbdd947c6c92af82d1e611
                                                    • Opcode Fuzzy Hash: 0b33f483e78cec012c42ec05538e54b6767d6653dfbd5f8c50e5434af4dbc859
                                                    • Instruction Fuzzy Hash: 60A002B159421025E46432243C02FEB120C47C0520F174655F90458994945E999640A5

                                                    Non-executed Functions

                                                    Function 0041C0F3 Relevance: 26.5, Strings: 20, Instructions: 1495COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: '&%$$%&'$($()*+$,-./$,f&$0123$;:=<$<=>?$CFGD$ER$PWVU$Q_T\$X\$XK$\CBA$`cem$gfed$srqp$|{zy
                                                    • API String ID: 2994545307-487049191
                                                    • Opcode ID: c4d0e52c5d433838d935bcabe744b548ee0fdceeca3819fe5c1c8d51a0e46f25
                                                    • Instruction ID: 2aba61bb09b9a05d4b861a8a7b1256c793c4620990fee9aa123df3a123d5ff14
                                                    • Opcode Fuzzy Hash: c4d0e52c5d433838d935bcabe744b548ee0fdceeca3819fe5c1c8d51a0e46f25
                                                    • Instruction Fuzzy Hash: 08C289B56093809BD730DF14D885BABBBF1EFC9354F14492EE4898B291D7399881CB4B
                                                    Function 0040DB50 Relevance: 22.9, Strings: 18, Instructions: 396COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?]1$4$47$7CuA$>O8M$@3I5$@;A9$A7S5$D[$J#Y!$KK1I$L3V1$SGXE$d$h'm%$nhfn$s+\)$s?A=
                                                    • API String ID: 0-688071760
                                                    • Opcode ID: 4edc96e037c0f178db7c3d2a56f0ab146287c71dd7d0a610fccc70a73f227dc8
                                                    • Instruction ID: b205447bd41dbca7e6094392a32d271156f71f7689f84adf83f523d63b62355e
                                                    • Opcode Fuzzy Hash: 4edc96e037c0f178db7c3d2a56f0ab146287c71dd7d0a610fccc70a73f227dc8
                                                    • Instruction Fuzzy Hash: E4E145B460C3809BD314EF19C490B2FBBE1EB95748F14892DE1C98B392D7799849CB96
                                                    Function 004254D6 Relevance: 19.6, Strings: 15, Instructions: 879COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: SQ$ oB$+GE$0P$GB$PQ$U@$sx$tEzG$vIuK$-/$9;$=?$OM$W6U
                                                    • API String ID: 0-945070389
                                                    • Opcode ID: 75324432214bee02142c58bdfad5c5664bd9e5414fef098fc68c9679aa2c563a
                                                    • Instruction ID: 17b5ed351691850d2d31a8ef5ef8e942825423d6908c31d910918414f0311317
                                                    • Opcode Fuzzy Hash: 75324432214bee02142c58bdfad5c5664bd9e5414fef098fc68c9679aa2c563a
                                                    • Instruction Fuzzy Hash: 8AC2B7B410D3C58AE374CF15D581BDEBBE1BB99300F608A2E95E99B245DB74804ACF93
                                                    Function 0040D670 Relevance: 19.2, Strings: 15, Instructions: 400COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: !8 '$"vZ#$'#%/$,89'$04Zf$2+OL$7lbU$GKAL$I4@A$L9A<$ZXZ^$pl^n$qKKL$t4"z$~wys
                                                    • API String ID: 0-2870023535
                                                    • Opcode ID: c4c1d0b8aeec4fbc964d878e168c0cfe6b14bc93284e6babccafd55405a7defb
                                                    • Instruction ID: 09061cec31d608dcf622b34a14119a3a3e4a5fde61f4ed7e11789ec3fc6b2662
                                                    • Opcode Fuzzy Hash: c4c1d0b8aeec4fbc964d878e168c0cfe6b14bc93284e6babccafd55405a7defb
                                                    • Instruction Fuzzy Hash: E7D19E7160C3818FC325CF69C49066BFBE1AF96304F18896EE4D59B392D738D90ACB56
                                                    Function 0042D620 Relevance: 18.3, APIs: 1, Strings: 8, Instructions: 2576COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #]$[$%1.}$;:=<$AVQI$OSE+$cYbX$nLv/$p|"s
                                                    • API String ID: 0-1327684294
                                                    • Opcode ID: faef5b9ca50c5c034368435bfd1cfde0b3adb28dc46cb938fad16909b468ffe1
                                                    • Instruction ID: 2b4df5ff1dce2aeeeb7c47710cf21c7a959d265473b9a3037ab5b52abd4fd4c8
                                                    • Opcode Fuzzy Hash: faef5b9ca50c5c034368435bfd1cfde0b3adb28dc46cb938fad16909b468ffe1
                                                    • Instruction Fuzzy Hash: 51138B70605B518BE325CF25C5A0BA3BBE2AF56305F98886ED4EB87782C739B405CF54
                                                    Function 0043A55A Relevance: 13.9, APIs: 9, Instructions: 390memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SysAllocString.OLEAUT32(C177C776), ref: 0043A5FF
                                                    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A649
                                                    • SysAllocString.OLEAUT32(23D321D7), ref: 0043A6E4
                                                    • SysAllocString.OLEAUT32(81C987D9), ref: 0043A7B7
                                                    • VariantInit.OLEAUT32(00000080), ref: 0043A843
                                                    • VariantClear.OLEAUT32(00000080), ref: 0043A913
                                                    • SysFreeString.OLEAUT32(?), ref: 0043A940
                                                    • SysFreeString.OLEAUT32(?), ref: 0043A949
                                                    • SysFreeString.OLEAUT32(?), ref: 0043A963
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: String$AllocFree$Variant$BlanketClearInitProxy
                                                    • String ID:
                                                    • API String ID: 1721464176-0
                                                    • Opcode ID: 699c7f215b7eb9b7a2b6cec3fd8496bc518bd866b7fed4522f39a4c212281b3a
                                                    • Instruction ID: 8c992e62f62bf1b93bab50a65aff0c4f59deb3091f0a737200adff5c6d653f8f
                                                    • Opcode Fuzzy Hash: 699c7f215b7eb9b7a2b6cec3fd8496bc518bd866b7fed4522f39a4c212281b3a
                                                    • Instruction Fuzzy Hash: 7AE186B9A083409FD324DF24D894B5EBBE5FF8A704F14892CF5C58B2A1CB759911CB46
                                                    Function 00428DF9 Relevance: 13.2, APIs: 1, Strings: 6, Instructions: 938COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: E G$4`[b$7Q>S$;:=<$H%E'$xy
                                                    • API String ID: 0-931342794
                                                    • Opcode ID: cfdae871bd40c45ddfcea215e3f663c6e0da303953fd6fba35544a9eb4cd990f
                                                    • Instruction ID: 9ace66a36af5d671560af70b85ea174d5b5cd9fda06858f5bbfafba69db2bf83
                                                    • Opcode Fuzzy Hash: cfdae871bd40c45ddfcea215e3f663c6e0da303953fd6fba35544a9eb4cd990f
                                                    • Instruction Fuzzy Hash: EA62E0B5608341CFD324CF29D890A2BB7F1BF86304F48896DE5868B752D779E841CB5A
                                                    Function 004347D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                    • String ID: W
                                                    • API String ID: 2832541153-655174618
                                                    • Opcode ID: 1319d16b3b6fcec1971500750b4dea67669a2eba4843eafdf0d3752e5d4cc64b
                                                    • Instruction ID: b5ce89a14692ea6d73f1f8b94e0227e04cfd5565c5f3f652e23a9204ac2c206b
                                                    • Opcode Fuzzy Hash: 1319d16b3b6fcec1971500750b4dea67669a2eba4843eafdf0d3752e5d4cc64b
                                                    • Instruction Fuzzy Hash: 09417B7410C7818ED311EF7C948836FBFE0AB96224F044A2EF4E9872D2C6389549CB97
                                                    Function 00401000 Relevance: 11.9, Strings: 8, Instructions: 1910COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff$gfff
                                                    • API String ID: 0-3817530714
                                                    • Opcode ID: b7ca9dd18a4da91c7ad62db8bce2336a186abc3dc4299a567a648651a2bae0a7
                                                    • Instruction ID: d855b3356d1c57fcf06fcd71e459df10e1582527fb1424479cc0e75607c93520
                                                    • Opcode Fuzzy Hash: b7ca9dd18a4da91c7ad62db8bce2336a186abc3dc4299a567a648651a2bae0a7
                                                    • Instruction Fuzzy Hash: 53E2F5716083518FD718CE29C49422BBBE2AFC9314F18C63EE895AB3D1D679DD05CB86
                                                    Function 004247C0 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 517COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <=$@V$e0$tu$}E
                                                    • API String ID: 0-1262024887
                                                    • Opcode ID: e5bd63f7bbe1783dc29fd61ff8032a617bb19269b788e03b3b80ba035ff734d7
                                                    • Instruction ID: 78cd2b424751e7e3a974edb00413f338abe77159b29d01a479bd523d69c4c1af
                                                    • Opcode Fuzzy Hash: e5bd63f7bbe1783dc29fd61ff8032a617bb19269b788e03b3b80ba035ff734d7
                                                    • Instruction Fuzzy Hash: 811273B42083808BD304DF59E890A2BBBF1EF96744F448A2DF4C58B361D378D945CB9A
                                                    Function 00427ECC Relevance: 10.5, Strings: 8, Instructions: 523COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 'O"A$4`[b$4`[b$4`[b$;:=<$>o)a$o7cI$w3k5
                                                    • API String ID: 0-1230474396
                                                    • Opcode ID: 28bba3a7885e465c593bc8cb973c93ada00e38e1d8af96db2a2ef3ebe4e945ca
                                                    • Instruction ID: 34e2fb881ffa027eb8593bc1da40f55b4969002233a45bbca051739018976706
                                                    • Opcode Fuzzy Hash: 28bba3a7885e465c593bc8cb973c93ada00e38e1d8af96db2a2ef3ebe4e945ca
                                                    • Instruction Fuzzy Hash: 9612C2B9A01229CFDB24CF99D890AAEB7B1FF09304F54455DE942AB351DB34AD01CF98
                                                    Function 0040F020 Relevance: 9.2, Strings: 7, Instructions: 480COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *!"#$EA$I^$L$ME$PN$fA
                                                    • API String ID: 0-3121298407
                                                    • Opcode ID: 34f20ffa5e815ffde0a29f63b86e480bc42fbe24c9381e36d712b05b0caf9e58
                                                    • Instruction ID: 32197e7896d0dea654037ece47cc288004702159dc869b410ef6c6e3044782a0
                                                    • Opcode Fuzzy Hash: 34f20ffa5e815ffde0a29f63b86e480bc42fbe24c9381e36d712b05b0caf9e58
                                                    • Instruction Fuzzy Hash: F3F1A07520C3809BD324CF18C49061BBBE2AFD5704F188A7DE4C99B792D739D90ACB5A
                                                    Function 0041243B Relevance: 9.0, Strings: 7, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: "(A$2(A$4`[b$;:=<$;:=<$D$F'W9
                                                    • API String ID: 2994545307-2899555637
                                                    • Opcode ID: 92518ee4f74951d240ed7c4311f44f8b80fa3c1a58ae9792e00d14183ced843b
                                                    • Instruction ID: 850d1f8a21bc88233faa5ed171f6a77b1594a7b2bde4cc9bd874753a322ae58e
                                                    • Opcode Fuzzy Hash: 92518ee4f74951d240ed7c4311f44f8b80fa3c1a58ae9792e00d14183ced843b
                                                    • Instruction Fuzzy Hash: 159135B41093809BE328CF10C5A476FBBF1FF85318F148A1DE49A5B294D7B99845CF8A
                                                    Function 004012AB Relevance: 8.5, Strings: 6, Instructions: 981COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0$0$0$0$@$i
                                                    • API String ID: 0-1499800099
                                                    • Opcode ID: 49e28f684b0058cf6a2ad84e09071874ecea87db0942bcbe0603c1936fe46074
                                                    • Instruction ID: 2c18955a9905b379642ffda91b76819843efd00dbd529e99c3d8cb13816c43c7
                                                    • Opcode Fuzzy Hash: 49e28f684b0058cf6a2ad84e09071874ecea87db0942bcbe0603c1936fe46074
                                                    • Instruction Fuzzy Hash: 4372C3716083418FD718CE28C59476BBBE2ABC9314F148A3EE8D5A73D1D778DD068B86
                                                    Function 0041D836 Relevance: 8.4, Strings: 6, Instructions: 911COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $[9U$576:$9$f8$C!A#$F)^+$K%S'
                                                    • API String ID: 0-1021359667
                                                    • Opcode ID: 1e603c00811ab43ee6add576694ee4b67a14258ad39f79d4584103c8140025a5
                                                    • Instruction ID: 9b977ac1f04bb14b6b57823cb97f6ace82ab04001c59d7b8664a4cb4b18c5caf
                                                    • Opcode Fuzzy Hash: 1e603c00811ab43ee6add576694ee4b67a14258ad39f79d4584103c8140025a5
                                                    • Instruction Fuzzy Hash: 2872CDB4D0066ACFCB14CFA4C8906AEFBB1FF56310F14895DD856AB391D338A945CB98
                                                    Function 00427262 Relevance: 8.1, Strings: 6, Instructions: 637COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (6$4`[b$42$;:=<$]S$^B
                                                    • API String ID: 0-1760957851
                                                    • Opcode ID: c4d559293e94434133a3be56b280aa0cec3089093fbfcebac09df8432f953920
                                                    • Instruction ID: 9603ea7d922278b3a9b0e196977010e6c9c52b37d5cbc10e436e82d193aff4a5
                                                    • Opcode Fuzzy Hash: c4d559293e94434133a3be56b280aa0cec3089093fbfcebac09df8432f953920
                                                    • Instruction Fuzzy Hash: 3822CC3660C352CBC324DF28D4906ABB3E2FF89744F95892DE9D58B364D734A905CB86
                                                    Function 00401353 Relevance: 7.9, Strings: 6, Instructions: 406COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
                                                    • API String ID: 0-854689426
                                                    • Opcode ID: fc175a819216eec0605c087836c401a49e7122558ac07ab3248c45568aa50351
                                                    • Instruction ID: 991deea0bdf48c2e004b2714989a2a32e04df8f811fbcaa1bcf4ca5c9ccc3b06
                                                    • Opcode Fuzzy Hash: fc175a819216eec0605c087836c401a49e7122558ac07ab3248c45568aa50351
                                                    • Instruction Fuzzy Hash: 88E1C2316083918FC314CE29C59066BBBE2AFD9314F188A7EE8D9A73D1D678DD05CB46
                                                    Function 004140C2 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 405COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExitProcess.KERNEL32(00000002), ref: 004140E0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID: l\[l$r$~yIs
                                                    • API String ID: 621844428-2483868081
                                                    • Opcode ID: b77e43dee3557325544c2bf9316e19aeba8aa000151ded57fa7f4eb880c364d4
                                                    • Instruction ID: 50daacc767c569245d2280c38069bcf2d850dcfac37cc656f273dd8656cd4cc3
                                                    • Opcode Fuzzy Hash: b77e43dee3557325544c2bf9316e19aeba8aa000151ded57fa7f4eb880c364d4
                                                    • Instruction Fuzzy Hash: 26E1AFB16083808FE328DF25D490BABBBE1AFD6304F19896DE4C947391D73A9905CB57
                                                    Function 0042C10A Relevance: 6.7, Strings: 5, Instructions: 460COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4`[b$4`[b$;:=<$>ZVB$XXZ
                                                    • API String ID: 0-1418205161
                                                    • Opcode ID: b6c7d0ef9ae49d846fb5ff8294779f26567c258844b33fc93c7a25346bf8b45c
                                                    • Instruction ID: aeab2857646deb4947dc5af1de2ac7035b2438514c5202c60368a3950da78ddc
                                                    • Opcode Fuzzy Hash: b6c7d0ef9ae49d846fb5ff8294779f26567c258844b33fc93c7a25346bf8b45c
                                                    • Instruction Fuzzy Hash: AAF10275608340DFD304DF28E891A2FB7E1AF89304F188A6EF59647392D739D901CB9A
                                                    Function 0042AB20 Relevance: 6.7, Strings: 5, Instructions: 454COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,KJM$E3W5$E7DI$kONA,KJME7DIE3W5x?E1$x?E1
                                                    • API String ID: 0-1893250419
                                                    • Opcode ID: 8e94a034ab06c5204d26a7559e7553f4c3c7a47b8e4b4d971ed0bcf6b67509c9
                                                    • Instruction ID: fceb0c5f4167c185f62c85f8028209108c8b250d659580a4f47de2793bbb089d
                                                    • Opcode Fuzzy Hash: 8e94a034ab06c5204d26a7559e7553f4c3c7a47b8e4b4d971ed0bcf6b67509c9
                                                    • Instruction Fuzzy Hash: 37F187756083948BD328CF15D4A0B6BB7E2FFC5308F45092DE99A5B381DB34A905CB9B
                                                    Function 004437F0 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2>D$R>D$T+*)$wu*)
                                                    • API String ID: 0-2828766663
                                                    • Opcode ID: cf2fcd34ac2da292ebbe9455d395f00f50ecd21ff02622c04c75cf9bae465ca0
                                                    • Instruction ID: 233eca92140b5038e21b59b77cb627327dd08b56e62bcaeadcb0e0b842900a38
                                                    • Opcode Fuzzy Hash: cf2fcd34ac2da292ebbe9455d395f00f50ecd21ff02622c04c75cf9bae465ca0
                                                    • Instruction Fuzzy Hash: 3352ED79A08216CFDB04CF68D89066EB7F2FB8A311F1A887DD885A3351C774A905CB95
                                                    Function 00413476 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 575COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N$wg
                                                    • API String ID: 0-3596813796
                                                    • Opcode ID: eff31fe9d8e9a72c618bbac480077fb539c6e837bf1b75bb1e0325f746f85541
                                                    • Instruction ID: 196765f3eedc86c87d2d09fc204386f94b6993b4499f9e08600ad9860ec92556
                                                    • Opcode Fuzzy Hash: eff31fe9d8e9a72c618bbac480077fb539c6e837bf1b75bb1e0325f746f85541
                                                    • Instruction Fuzzy Hash: A902F1B16083418FD714DF28D880B6BB7E5BF96308F090A2EE1C597391E739D945CB9A
                                                    Function 00442CF0 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,K6M$0ONA$B?J1$T3N5
                                                    • API String ID: 0-3032688317
                                                    • Opcode ID: ac82e50b7f7e3d2a5656f9bc67944ad31263cc49a67966ca229c446b5f47a5ea
                                                    • Instruction ID: c7e278a86b0c5fa2cc2db7458628a2b637bcc511569f3d6321285a511813219e
                                                    • Opcode Fuzzy Hash: ac82e50b7f7e3d2a5656f9bc67944ad31263cc49a67966ca229c446b5f47a5ea
                                                    • Instruction Fuzzy Hash: 3F8108B1A042005BF724DF29CD40B6BB7D5ABC0319F98893EF995D3352EA74DC04875A
                                                    Function 00426F22 Relevance: 5.2, Strings: 4, Instructions: 248COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (6$4`[b$42$;:=<
                                                    • API String ID: 0-1828371304
                                                    • Opcode ID: 92e373d38cb8a45c32cec28e43a4d0f8ca0b3329e649d41b4de7c30d2790807f
                                                    • Instruction ID: 1cc9a2871fe7e6953e81915b675732c428d52a6240afbafc1defe24ab325a3c1
                                                    • Opcode Fuzzy Hash: 92e373d38cb8a45c32cec28e43a4d0f8ca0b3329e649d41b4de7c30d2790807f
                                                    • Instruction Fuzzy Hash: C581797910C3818BD7288F25D860B6BB3E2FFCA305F64892EE59947255DB34D901CB9A
                                                    Function 00423CDF Relevance: 4.4, Strings: 3, Instructions: 614COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;:=<$ZQ$r@B
                                                    • API String ID: 0-2434479481
                                                    • Opcode ID: 2ad91517a1fcf3e2faa804bb923ac036d642ca5a68031004550778e28a8af2ab
                                                    • Instruction ID: de04cf39f5cbd9ff50ece06e9efe80ced1d0fc34f4ff256bc7eb882e6c7ccc20
                                                    • Opcode Fuzzy Hash: 2ad91517a1fcf3e2faa804bb923ac036d642ca5a68031004550778e28a8af2ab
                                                    • Instruction Fuzzy Hash: 9422FE75608351CFC318CF28E89062AB7F2EF89315F598A2DE5D6873A1D738E941CB85
                                                    Function 00429FD0 Relevance: 4.4, Strings: 3, Instructions: 608COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: "$4`[b$;:=<
                                                    • API String ID: 0-1258923058
                                                    • Opcode ID: e8ddd71b6069e9750d760fab9b5afa9aac9e502c85817d1f117e8691c31a4452
                                                    • Instruction ID: d79c7e4b8816dddf43733cfd745fedaf185e6a701b4f9e5072b9a8a45092fc8b
                                                    • Opcode Fuzzy Hash: e8ddd71b6069e9750d760fab9b5afa9aac9e502c85817d1f117e8691c31a4452
                                                    • Instruction Fuzzy Hash: 9C121835608350CFD310CF28D89072AB7E2BF8A324F598A6DE895973A1D739DC55CB4A
                                                    Function 00408510 Relevance: 4.2, Strings: 3, Instructions: 434COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: )$)$IEND
                                                    • API String ID: 0-588110143
                                                    • Opcode ID: 903f0b3ec2f5342d351f2076d48e5e80cf403cd988251eb26a88a8ae4c912964
                                                    • Instruction ID: 276fa3dd006b87f38b8202d5eba2b2e74f526b7dd616f7727b779dd7cfee4eac
                                                    • Opcode Fuzzy Hash: 903f0b3ec2f5342d351f2076d48e5e80cf403cd988251eb26a88a8ae4c912964
                                                    • Instruction Fuzzy Hash: 43F1D0B2A047119BD310DF28C88171ABBE0BB95314F15463EE9D5AB3C2D778E915CB8A
                                                    Function 004154E7 Relevance: 4.1, Strings: 3, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *$CZA$vf
                                                    • API String ID: 0-206690473
                                                    • Opcode ID: 7acbc0d67bfca53b4c5fbd13c50aefe54a03205c3eb167124ba9dfbfc0647525
                                                    • Instruction ID: fd79bdd669a6a422b2521ec46db2113e801652e7736158cbb3e3a1a8ad381470
                                                    • Opcode Fuzzy Hash: 7acbc0d67bfca53b4c5fbd13c50aefe54a03205c3eb167124ba9dfbfc0647525
                                                    • Instruction Fuzzy Hash: B8D14770608380CFD325EF19C880BABBBF5EF96304F45492EE5C987251E33998558B6B
                                                    Function 0043AD50 Relevance: 4.1, Strings: 3, Instructions: 343COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4`[b$4`[b$;:=<
                                                    • API String ID: 0-3592264197
                                                    • Opcode ID: fbd7fcf930f3b944ff41c9800ed9647bfd5017a64df00a271fd8abf1bd1add9d
                                                    • Instruction ID: b2b4cd47ae554cadc3a3b46b3434b9521132386f5270db21e65c699f2ed63dbe
                                                    • Opcode Fuzzy Hash: fbd7fcf930f3b944ff41c9800ed9647bfd5017a64df00a271fd8abf1bd1add9d
                                                    • Instruction Fuzzy Hash: E4A1ED786082009FD718EF29D890B2FB7F2EB99305F14892DE2C547392D735E811CB9A
                                                    Function 004016FF Relevance: 4.0, Strings: 3, Instructions: 226COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $0123456789ABCDEFXP$0123456789abcdefxp
                                                    • API String ID: 0-191410918
                                                    • Opcode ID: 6461ab3725a57874339ace894ada579ec19377586f119210fe78ce41a66211f1
                                                    • Instruction ID: 11ada76d5bba83d27bf5064260fe23df4183cc92739bc392076a7deeb5a2bb41
                                                    • Opcode Fuzzy Hash: 6461ab3725a57874339ace894ada579ec19377586f119210fe78ce41a66211f1
                                                    • Instruction Fuzzy Hash: E881BC726083408BD714CE19C59432BBBE2AFD5354F18892EF8D9A73D1C778D946CB86
                                                    Function 0040134A Relevance: 4.0, Strings: 3, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $0123456789ABCDEFXP$0123456789abcdefxp
                                                    • API String ID: 0-191410918
                                                    • Opcode ID: 37338132822b0a989770a82cafa03d8c62d383d6d0c3095f85d6e562b31d8e2b
                                                    • Instruction ID: e3cd0c0765a6337eab9cf58452de95353be9a8cc04daf256ce901a56c877eaec
                                                    • Opcode Fuzzy Hash: 37338132822b0a989770a82cafa03d8c62d383d6d0c3095f85d6e562b31d8e2b
                                                    • Instruction Fuzzy Hash: A781BB726083408BD714CE19C58432BBBE2AFD5354F18892EF8D9A73D5C778D946CB86
                                                    Function 0043EA30 Relevance: 3.8, Strings: 3, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4`[b$;:=<$;:=<
                                                    • API String ID: 0-329296514
                                                    • Opcode ID: f34d388a25e3721d108343d5e6fd82d4ebf73c52cbe3c1819dc3a3d568a8bdf4
                                                    • Instruction ID: 2c71d2a802dc8d2e9535d10b74675595336a870d12ed8bb73b2cb207b1e6cf89
                                                    • Opcode Fuzzy Hash: f34d388a25e3721d108343d5e6fd82d4ebf73c52cbe3c1819dc3a3d568a8bdf4
                                                    • Instruction Fuzzy Hash: 7211D53560A3008BE710EF1AC4C0A2BB7A3FBC9711F19D95DD48517399C375DC028B96
                                                    Function 00443B00 Relevance: 3.2, Strings: 2, Instructions: 650COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2>D$R>D
                                                    • API String ID: 0-1099935506
                                                    • Opcode ID: b3e0398bf5e551924423ceb56589191ca35619534e2b10910c9ee5264e21615e
                                                    • Instruction ID: 206aac7d22ae4cffbd0febd8c552771d4d00601fd67f989396f8d08b5efe2368
                                                    • Opcode Fuzzy Hash: b3e0398bf5e551924423ceb56589191ca35619534e2b10910c9ee5264e21615e
                                                    • Instruction Fuzzy Hash: F422BB79A08212CFD704CF28E89066FB7F2FB8A310F1A897DE88593355C735A915CB85
                                                    Function 0043F520 Relevance: 3.1, Strings: 2, Instructions: 604COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;:=<$f
                                                    • API String ID: 0-1323823017
                                                    • Opcode ID: 5fbbe051b1ed0bf3e2a79ae9d275a7ec4f3beaf33de91a5399ae5fb45e49a1ef
                                                    • Instruction ID: c59ac8116f5911eb9f2bc93abb99b4200faaf618b15e2140fe57c5dba50f6583
                                                    • Opcode Fuzzy Hash: 5fbbe051b1ed0bf3e2a79ae9d275a7ec4f3beaf33de91a5399ae5fb45e49a1ef
                                                    • Instruction Fuzzy Hash: 7F22B2759083419FD314CF28C490B2BBBE1AF88314F189A2EE4D5973A1D739EC49CB96
                                                    Function 0041A8B0 Relevance: 3.0, Strings: 2, Instructions: 481COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4`[b$;:=<
                                                    • API String ID: 0-1589744844
                                                    • Opcode ID: ee74d0769bdf9d9c08d1d0f73040f90ee8eef2e0f64c0674bec5aa730efffa3f
                                                    • Instruction ID: a43c5c35c5491b0f9340dcb26e9a5266a29d5cdcc1a72a623d375895d6bcedd2
                                                    • Opcode Fuzzy Hash: ee74d0769bdf9d9c08d1d0f73040f90ee8eef2e0f64c0674bec5aa730efffa3f
                                                    • Instruction Fuzzy Hash: 70F102B4109340CBD324DF14D895BABB7B1EFCA354F04092DE9898B3A1E7399891CB5B
                                                    Function 004234F0 Relevance: 3.0, Strings: 2, Instructions: 462COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4`[b$;:=<
                                                    • API String ID: 0-1589744844
                                                    • Opcode ID: 1c3aedb2ce529f4d67205c393fb6a21125fb2a094e65f1670ae247909dc083aa
                                                    • Instruction ID: 246f25436d987c80232269820723aea318872ae59026922c166dac40a2577ec3
                                                    • Opcode Fuzzy Hash: 1c3aedb2ce529f4d67205c393fb6a21125fb2a094e65f1670ae247909dc083aa
                                                    • Instruction Fuzzy Hash: B5D103B16082109BC714EF18E891A2BB7F1EF95305F44491EF4C58B391E73DEA40CB9A
                                                    Function 004038C0 Relevance: 2.9, Strings: 2, Instructions: 439COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Inf$NaN
                                                    • API String ID: 0-3500518849
                                                    • Opcode ID: 7002dbde0cc46d5a5fc26196bcaae322e1585b7e0a0e391f8f6e2039981a78a0
                                                    • Instruction ID: acbfd9ece6d6733368d19d6c2c2f2c7b8abf5fd1b9eb8c456111671492b6770a
                                                    • Opcode Fuzzy Hash: 7002dbde0cc46d5a5fc26196bcaae322e1585b7e0a0e391f8f6e2039981a78a0
                                                    • Instruction Fuzzy Hash: 2CE19372A083019BC708CF28C44165BBBE6EBC4754F158A3EF899E7394E778DD458B86
                                                    Function 00424230 Relevance: 2.9, Strings: 2, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;:=<$;:=<
                                                    • API String ID: 0-2608637003
                                                    • Opcode ID: def6a8bea53928192f245e836900cb76aa28937f58efcad78cd4cedddfd3bfde
                                                    • Instruction ID: 398dedf9aa16bb12b9eceae43538d85d4a1e853892d32e4a180452d71a24d70a
                                                    • Opcode Fuzzy Hash: def6a8bea53928192f245e836900cb76aa28937f58efcad78cd4cedddfd3bfde
                                                    • Instruction Fuzzy Hash: 44C1DF75608302CFD708DF28E890B2AB3E5EF89314F49897DE88297291D738ED51CB95
                                                    Function 0041A550 Relevance: 2.8, Strings: 2, Instructions: 343COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4`[b$;:=<
                                                    • API String ID: 0-1589744844
                                                    • Opcode ID: 28663bad3396b383ca11eda51f11e9a0b0662c128255db784d5a7e73a922f9d4
                                                    • Instruction ID: 2820b62ee852fb3f43b80af76e2fec33a6f4f800d124f9151e4e2a3ed6f00d8c
                                                    • Opcode Fuzzy Hash: 28663bad3396b383ca11eda51f11e9a0b0662c128255db784d5a7e73a922f9d4
                                                    • Instruction Fuzzy Hash: 82812376909200DBC720AF14DC926A773B1EF81365F09462EE9854B391F738DD60C79B
                                                    Function 0040148F Relevance: 2.8, Strings: 2, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0123456789ABCDEFXP$0123456789abcdefxp
                                                    • API String ID: 0-595753566
                                                    • Opcode ID: eb60fa5e6a6820ed48adf25997699a813c06f3088e231a2b7aceee8f91e74c9e
                                                    • Instruction ID: 3a16c03c1282adae2799ef100d3c23dea248a4c3a2fee066912e920b7bde0fd2
                                                    • Opcode Fuzzy Hash: eb60fa5e6a6820ed48adf25997699a813c06f3088e231a2b7aceee8f91e74c9e
                                                    • Instruction Fuzzy Hash: CBC19E316083418BD718CE19C59422FBBE2AFD4354F18892EF89AA73D0D779ED42CB46
                                                    Function 0040175C Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $0123456789ABCDEFXP
                                                    • API String ID: 0-3288435876
                                                    • Opcode ID: a5bd5f108d732cf2d0d548066390834eda8d136e7cfa172e31c9878648b824b7
                                                    • Instruction ID: aafced96436ec6714351d33ccefc49a957daf03bb4909e19fedf85531cfe68d8
                                                    • Opcode Fuzzy Hash: a5bd5f108d732cf2d0d548066390834eda8d136e7cfa172e31c9878648b824b7
                                                    • Instruction Fuzzy Hash: 7481AD72A083408BD714CE19C59432BBBE2AFD4354F18892EF8D9673D5C778D946CB86
                                                    Function 0043EB00 Relevance: 2.7, Strings: 2, Instructions: 195COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;:=<$;:=<
                                                    • API String ID: 0-2608637003
                                                    • Opcode ID: bded42e1866b1784597b1c7e133ed557a9b859fd2f0c8ec8691122e3061ca7c3
                                                    • Instruction ID: 69a7d6ee1215665a261b408fea27453dcb42e243a6c768147a65c232d5567cd6
                                                    • Opcode Fuzzy Hash: bded42e1866b1784597b1c7e133ed557a9b859fd2f0c8ec8691122e3061ca7c3
                                                    • Instruction Fuzzy Hash: 4E61B036A193519FD710DE29C88062FF7E2EB8D710F19992EE8D597391C735EC018B8A
                                                    Function 00405060 Relevance: 1.8, Strings: 1, Instructions: 551COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %1.17g
                                                    • API String ID: 0-1551345525
                                                    • Opcode ID: 8f025f25f56428498e34ef21fd91f9a6bfe0e5cfe7b452a9bd5dd245adf4c520
                                                    • Instruction ID: 913ee2afe4259bb29e996a34109f18846cc102ae0c78204c63c23c5e21ce39e7
                                                    • Opcode Fuzzy Hash: 8f025f25f56428498e34ef21fd91f9a6bfe0e5cfe7b452a9bd5dd245adf4c520
                                                    • Instruction Fuzzy Hash: CE12E675A08B418BD7258E189440327B7E2EFA1304F19897FD8996B3C2E779DC45CF4A
                                                    Function 00423290 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(00447BA0,00000000,00000001,00447B90), ref: 004232B9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: CreateInstance
                                                    • String ID:
                                                    • API String ID: 542301482-0
                                                    • Opcode ID: 368d1edffba823671e4592491de4dcdae7eba8239b1b5de572a75cf813c3b115
                                                    • Instruction ID: 5deb9151911bd67a156f7c62fabd8b5e00d6b10411462216ae542b92bd78d99a
                                                    • Opcode Fuzzy Hash: 368d1edffba823671e4592491de4dcdae7eba8239b1b5de572a75cf813c3b115
                                                    • Instruction Fuzzy Hash: 6151CEB1700220ABDB20EF24DC82B7772B4EF4175AF448559F9858B391E77CEA01C76A
                                                    Function 00408FA0 Relevance: 1.7, Strings: 1, Instructions: 491COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,
                                                    • API String ID: 0-3772416878
                                                    • Opcode ID: c5c51321e2fabbeaf8ebc5e62dcbd1a7df3d4c8b1c4013a52394c3e7d85a7393
                                                    • Instruction ID: 406489a2217277ccb2d08e966c47d081aa69b2ada2636f7821f937c37d8680fb
                                                    • Opcode Fuzzy Hash: c5c51321e2fabbeaf8ebc5e62dcbd1a7df3d4c8b1c4013a52394c3e7d85a7393
                                                    • Instruction Fuzzy Hash: 0302BA79608201CFDB08CF24D89076B77A2BB8A316F18857DE8468B3D2D739ED46DB45
                                                    Function 00410C51 Relevance: 1.7, Strings: 1, Instructions: 479COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: _]
                                                    • API String ID: 0-1543220111
                                                    • Opcode ID: c04de08cf275d7676c505f1720a3405e72d1d894acf4304615f5586def1876c9
                                                    • Instruction ID: a7efde3a3b4a43be2c77ca8fba87e20e5ff5137cbe75d5c3f5dd0eb0b91f40d6
                                                    • Opcode Fuzzy Hash: c04de08cf275d7676c505f1720a3405e72d1d894acf4304615f5586def1876c9
                                                    • Instruction Fuzzy Hash: 9FF19D74A04216CFDB18CF54D8A06BFB7B1FF4A310F14492DE952AB7A0D774A845CBA8
                                                    Function 00442052 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: R#D
                                                    • API String ID: 0-1600246052
                                                    • Opcode ID: ea9c9a294a9b9ff1e27d23e43ef0affc3a89dd55b927385486c9bda5c4ca7759
                                                    • Instruction ID: 58517f0753b29c37b605052dbd2ff18911ba1a0598dd0b9878fda025c546f8b9
                                                    • Opcode Fuzzy Hash: ea9c9a294a9b9ff1e27d23e43ef0affc3a89dd55b927385486c9bda5c4ca7759
                                                    • Instruction Fuzzy Hash: 69F1443AA08261CFD714CF39E89011EB7E2FB8A301F4A85BDD8A187392D774D941CB85
                                                    Function 0041EED0 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O
                                                    • API String ID: 0-3595746219
                                                    • Opcode ID: 2c138607c282682cb9f68153af4aa23138d2b1ceba0acedcc695c3c9eb81b2c8
                                                    • Instruction ID: 0b557c98afa23ba1f301d20f540ba73d64053bb9c245ddfc03cc6c7376117434
                                                    • Opcode Fuzzy Hash: 2c138607c282682cb9f68153af4aa23138d2b1ceba0acedcc695c3c9eb81b2c8
                                                    • Instruction Fuzzy Hash: FFE1AB756083419BD304EF29C850A6EBBE6EFD9314F088D2DE5C887352D739990ACB96
                                                    Function 0042CF00 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: "
                                                    • API String ID: 0-123907689
                                                    • Opcode ID: 1666ee25ac14c568813c428f687048185778f3f3e480042ee6c215678a606f78
                                                    • Instruction ID: 78e3d14cb48d6723167c496696e02d2a9342397c22d16c7c6ca9ca648a4b7f88
                                                    • Opcode Fuzzy Hash: 1666ee25ac14c568813c428f687048185778f3f3e480042ee6c215678a606f78
                                                    • Instruction Fuzzy Hash: B8D136B2F083209BD724CE25D48076FB7D6AF85354F99852EE88A87381D73CDD04879A
                                                    Function 00443100 Relevance: 1.7, Strings: 1, Instructions: 408COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: P
                                                    • API String ID: 0-3110715001
                                                    • Opcode ID: 9d2d739c79a1afde5697c68e2d7ace0db2742ad600a5a61c68e1fdc3332b6fbe
                                                    • Instruction ID: 3a7f74090e0dca96f2ff7feadc08b36320648385cda253dec29c7ded54be8f8a
                                                    • Opcode Fuzzy Hash: 9d2d739c79a1afde5697c68e2d7ace0db2742ad600a5a61c68e1fdc3332b6fbe
                                                    • Instruction Fuzzy Hash: F6D1F5725083604FE725CE18945072FB7E1EBC5718F16862EE8B66B380CB75AD46CBC6
                                                    Function 00414695 Relevance: 1.6, Strings: 1, Instructions: 398COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: v
                                                    • API String ID: 0-1801730948
                                                    • Opcode ID: fe27b4660a5f04f9822305f16e26f48370715c2627451c63468bafa258a2576b
                                                    • Instruction ID: 8cefd0b2fb0452d6eab05b58845e42df43ed8ada661f899549c4ddbca9a8bdcb
                                                    • Opcode Fuzzy Hash: fe27b4660a5f04f9822305f16e26f48370715c2627451c63468bafa258a2576b
                                                    • Instruction Fuzzy Hash: D8E19A7560C3808BD324DF29D890BAFB7E1AFD6304F05492EE5C987352E73A98458B5B
                                                    Function 004287C0 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: ;:=<
                                                    • API String ID: 2994545307-1779823811
                                                    • Opcode ID: 93822f6b3b4938801a1c377f8d8f4da14634b3dcdf51f2ed76a46a200dcbc3be
                                                    • Instruction ID: b388ff17e69dbbcd1528fe3e9e30d3d2da54c93eabca0931ba12afbd6c47df4a
                                                    • Opcode Fuzzy Hash: 93822f6b3b4938801a1c377f8d8f4da14634b3dcdf51f2ed76a46a200dcbc3be
                                                    • Instruction Fuzzy Hash: 1DB100B17093118BD714DF28D880B2FB7E1EF95344F54892EE58587351EB38E845CB9A
                                                    Function 004113A3 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \_
                                                    • API String ID: 0-2885897410
                                                    • Opcode ID: 28d151ee5d41172f0ce71bfe11221b92f9b1177fc9eb7ff7e74abfe3bd26dbf0
                                                    • Instruction ID: cffd55973f2cc0b80aa761f8a161b1057c200f58bb372d4e36f1323283746c5f
                                                    • Opcode Fuzzy Hash: 28d151ee5d41172f0ce71bfe11221b92f9b1177fc9eb7ff7e74abfe3bd26dbf0
                                                    • Instruction Fuzzy Hash: 1FB1A77510A3808BE335CF25C494BDBFBE2ABCA358F188A1DD4C91B361D7348985CB86
                                                    Function 00401910 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: null
                                                    • API String ID: 0-634125391
                                                    • Opcode ID: 0925b2bb124186bdab0b48fab05da9ac9de306871e53248cd08126a15b7a6f9f
                                                    • Instruction ID: 8c3da2e117334598bba65235dee84f51f30ebc641fb87975a1265fcfa54a1e14
                                                    • Opcode Fuzzy Hash: 0925b2bb124186bdab0b48fab05da9ac9de306871e53248cd08126a15b7a6f9f
                                                    • Instruction Fuzzy Hash: 89A19F76A083418BC715CE19C58462BBBE2AFC4354F18892EF8C5A73E4D778DD46CB86
                                                    Function 0040A6A0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,
                                                    • API String ID: 0-3772416878
                                                    • Opcode ID: 9d0f6e4bdde1a3e321f3d3ee283bba0e704fe3dad8033dbd6bd602fc28897309
                                                    • Instruction ID: 2be159ed2f776acfc4fd07dbe04c18ee364b4b70af27c014742466faed730af3
                                                    • Opcode Fuzzy Hash: 9d0f6e4bdde1a3e321f3d3ee283bba0e704fe3dad8033dbd6bd602fc28897309
                                                    • Instruction Fuzzy Hash: B7B139712083819FC324DF28C98061BBBE0AFA9704F448E2DF5D997782D635E918CB57
                                                    Function 004429C0 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4`[b
                                                    • API String ID: 0-3962175265
                                                    • Opcode ID: 66adebdfa3241c1fb5363f9da8ffe8f7a85c8d6ab1b702d8cc3c88f24d080178
                                                    • Instruction ID: 6b6f997dc00b9f8f43701221797d8b2b7dac59eb4693dae2bf0a1f8bb826d804
                                                    • Opcode Fuzzy Hash: 66adebdfa3241c1fb5363f9da8ffe8f7a85c8d6ab1b702d8cc3c88f24d080178
                                                    • Instruction Fuzzy Hash: ED81DF756083419BE724CF15CA90B6BB7E2EBC8314F944D2EF98593381E774E940CB9A
                                                    Function 0043FFA0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;:=<
                                                    • API String ID: 0-1779823811
                                                    • Opcode ID: 0e41ac4cfd6d17e43070f15520131cb9ee686395848b59599bcaa1bea0835342
                                                    • Instruction ID: 26e21218adb1158e7230711d54a925124355d9f6bbad91a5fadd465e20d4bfff
                                                    • Opcode Fuzzy Hash: 0e41ac4cfd6d17e43070f15520131cb9ee686395848b59599bcaa1bea0835342
                                                    • Instruction Fuzzy Hash: 7F7115356083418BE719DE28C890B2BB7E2EBC9314F14892EE6D597391C735ED61CB4A
                                                    Function 00432BA0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00432DB0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                    • API String ID: 0-2471034898
                                                    • Opcode ID: cebd64a6a9d37bed18ee654e4c749d968936f41b66b598ebb260b19c4b23e212
                                                    • Instruction ID: 33dabdce66a625a163c1a08dc9c88e8f7b74f3cd0033f1718882a74fcaa0257f
                                                    • Opcode Fuzzy Hash: cebd64a6a9d37bed18ee654e4c749d968936f41b66b598ebb260b19c4b23e212
                                                    • Instruction Fuzzy Hash: B2616A33609A904BC7185D3C4D503AABA435B9B330F3EA37BD8B18B3E5D55D88079359
                                                    Function 004343D0 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0043452F
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                    • API String ID: 0-442858466
                                                    • Opcode ID: 656d5af3bf42d0f8ed180a1577dff78445bac1880cac19882de8aab2fd380b18
                                                    • Instruction ID: 2842f6c15ada2c3b0f350068909539b62e8133237b9483ce56a056dac0cb2be8
                                                    • Opcode Fuzzy Hash: 656d5af3bf42d0f8ed180a1577dff78445bac1880cac19882de8aab2fd380b18
                                                    • Instruction Fuzzy Hash: F251453765999047C7189E3C0C422B5BA434BEB330F3E937B9AB28B3E1D61D5806536A
                                                    Function 004210D0 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <?
                                                    • API String ID: 0-2219591229
                                                    • Opcode ID: a9dee0f8cc985192ff484047ca08529a1a148b000407021d9481890e980a836e
                                                    • Instruction ID: 1de7ab21bd37d4f47de160811fa9f833646164e7535e658d34544aca3332de4f
                                                    • Opcode Fuzzy Hash: a9dee0f8cc985192ff484047ca08529a1a148b000407021d9481890e980a836e
                                                    • Instruction Fuzzy Hash: 496157B41183808BD310DF19D590A2BBBF1EFA9348F448A1DF4D98B361E379D945CB9A
                                                    Function 004245B2 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;:=<
                                                    • API String ID: 0-1779823811
                                                    • Opcode ID: d7cf41c593dafe189703766217f07bcb7da7493534416e4977083e4fcb245e79
                                                    • Instruction ID: 10d54047df2c23f4efc75173e848d88c95265582d0f7e41eebf34b18008f60d0
                                                    • Opcode Fuzzy Hash: d7cf41c593dafe189703766217f07bcb7da7493534416e4977083e4fcb245e79
                                                    • Instruction Fuzzy Hash: E951D135608212CBE318CF28D89072AB3E6FF89310F598A7DE98697295C735ED51CB85
                                                    Function 00444E20 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: @
                                                    • API String ID: 2994545307-2766056989
                                                    • Opcode ID: 1fd54fb11f3b16044df376fed7a3057723646f5411a19f1861e0da6cc362ea88
                                                    • Instruction ID: 2cf5eeee5896afde7953fdda4c5f5e8eb1f498716a8732b76b49b6fe11196fd1
                                                    • Opcode Fuzzy Hash: 1fd54fb11f3b16044df376fed7a3057723646f5411a19f1861e0da6cc362ea88
                                                    • Instruction Fuzzy Hash: 4131C9761083008FD300DF18D88166BFBF5EFC9314F15892EE99893361D379E9098B9A
                                                    Function 0040BD20 Relevance: .8, Instructions: 815COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ffb689b7b41ede0b7afca7bb811061be4110ac4c0c57ee5ef0b5f8f6eb66e822
                                                    • Instruction ID: c98403a2d3f1ec4dfdb10c64a169b014944577431bc9eed585416699b64a2be3
                                                    • Opcode Fuzzy Hash: ffb689b7b41ede0b7afca7bb811061be4110ac4c0c57ee5ef0b5f8f6eb66e822
                                                    • Instruction Fuzzy Hash: 7B529E32518711CBC725DF18C88026BB3E2FFD4314F198A3ED996A7385D739A855CB8A
                                                    Function 0042F7D5 Relevance: .7, Instructions: 720COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f043323f2f5e430c736272b0ad9861b00202b0f88244e1313804f400a9a94641
                                                    • Instruction ID: a8c0d66fa211b821de137a80d5673d4424c77471b637e32700bd05941767ddee
                                                    • Opcode Fuzzy Hash: f043323f2f5e430c736272b0ad9861b00202b0f88244e1313804f400a9a94641
                                                    • Instruction Fuzzy Hash: CE427C74205B418BE329CF35C4A0BA3BBF1AF56305F54896DD4EB87781DB39A809CB54
                                                    Function 0040B210 Relevance: .7, Instructions: 670COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24cfd1d151ca5395e9b176ebef6d35f6c14d16ac47cf349d19db00b1eec2ac9b
                                                    • Instruction ID: 085f55471be8870166fd1fac95173a8561750e404de1d2b07c04ecf65871923d
                                                    • Opcode Fuzzy Hash: 24cfd1d151ca5395e9b176ebef6d35f6c14d16ac47cf349d19db00b1eec2ac9b
                                                    • Instruction Fuzzy Hash: E85281B0908B888FE7358B24C4847A7BBE1EB95314F14493EC5D616BC2C37DA985C79E
                                                    Function 00407170 Relevance: .7, Instructions: 657COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e36b86faa8d1ccc44319ff8b12de4c9a00c6cc4713396a6e4696e49310e88840
                                                    • Instruction ID: ddae08f672659cb3e06262a62db35f63c9ce1edbe075ded1709f6ecec4435b1d
                                                    • Opcode Fuzzy Hash: e36b86faa8d1ccc44319ff8b12de4c9a00c6cc4713396a6e4696e49310e88840
                                                    • Instruction Fuzzy Hash: 5E52C43190C3458FCB15CF24C0906AABBE1BF85314F198A7EE89967391D778F949CB86
                                                    Function 00407B70 Relevance: .6, Instructions: 592COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24cd43de3cdbd594c72bd9c5be75b86f845bb2be6e409d99bc37e02cd0a05f52
                                                    • Instruction ID: 75943819cb0a7155e141e038501b9cef2516bfc30106b2b5fa55fd07317ba367
                                                    • Opcode Fuzzy Hash: 24cd43de3cdbd594c72bd9c5be75b86f845bb2be6e409d99bc37e02cd0a05f52
                                                    • Instruction Fuzzy Hash: 05324470919B118FC328CF29C680526BBF2BF85710B604A2ED69797F90D73AF845CB19
                                                    Function 0040A1E0 Relevance: .4, Instructions: 399COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfd7a6b0a0773c1ea9abbcbefa0960f75d1483f1f2240e8e730af0bf15e4d157
                                                    • Instruction ID: 51ef10332a94d167fd3e8e56e62fb191be0686376163e2e86ed0b62654271d09
                                                    • Opcode Fuzzy Hash: cfd7a6b0a0773c1ea9abbcbefa0960f75d1483f1f2240e8e730af0bf15e4d157
                                                    • Instruction Fuzzy Hash: A4E17A71108341CFC720DF29C880A2BBBE1EF99304F488D2DE4D597792E679E958CB96
                                                    Function 0042B207 Relevance: .4, Instructions: 361COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72b438ebdcbadcecc71a9fd92d374010766e35ea9158ae403d9a740d84f6acc1
                                                    • Instruction ID: ad96692ec7c32086046f2212e5f5e69169fdda7e6155af532200af06e1e27d3f
                                                    • Opcode Fuzzy Hash: 72b438ebdcbadcecc71a9fd92d374010766e35ea9158ae403d9a740d84f6acc1
                                                    • Instruction Fuzzy Hash: 62D101B15083919FD720CF18D49065FBBE1AF86308F444A2EE5D54B392E339E949CBDA
                                                    Function 004455B0 Relevance: .3, Instructions: 308COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1b4b39065eff32c36c3512c4cf38f1bc0d333211d9f5dad7e566fbbddbdb008
                                                    • Instruction ID: daafef3cdaecc38103601165183cbed3b6a4a9f8a4fa91ee9cfaeaa7e041acac
                                                    • Opcode Fuzzy Hash: a1b4b39065eff32c36c3512c4cf38f1bc0d333211d9f5dad7e566fbbddbdb008
                                                    • Instruction Fuzzy Hash: CCA1C2356087028FDB14DF18D880A2BB3F2EF89750F19892DE89587352E738EC51CB96
                                                    Function 0040AD80 Relevance: .3, Instructions: 303COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1fa9c47e46ac6f1e3e767f147b4497d485e3dca5418f2e5b0a5d4b85ccafc4c9
                                                    • Instruction ID: 6d458b4306b138c9adb75e1eb75a19523b5075fff371224b80d1d49cb74e8935
                                                    • Opcode Fuzzy Hash: 1fa9c47e46ac6f1e3e767f147b4497d485e3dca5418f2e5b0a5d4b85ccafc4c9
                                                    • Instruction Fuzzy Hash: 96C15CB29487418FC360CF28DC96BABB7E1FF85318F08492DD1D9D6242E778A155CB4A
                                                    Function 004452A0 Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6fb7c365b51d7b209f759a3f285d99ce201e2e83079cfed763b4784c11128970
                                                    • Instruction ID: c784820f775ad54184de76f0a8c5ab3b25cff8a17dd85277819e5963e4525e05
                                                    • Opcode Fuzzy Hash: 6fb7c365b51d7b209f759a3f285d99ce201e2e83079cfed763b4784c11128970
                                                    • Instruction Fuzzy Hash: F79127356097118BDB14DF18D880A2BB3F2FF98710F59892DE98547356E774EC41CB86
                                                    Function 00444F70 Relevance: .3, Instructions: 299COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 541d747014368a8d14c81d6168bc828bec7d0c451c1a0a9179e5bcfae9a219d0
                                                    • Instruction ID: 3deb77510c72dbb2f8398628f508d3a7fe30cdd73563657d919194e91e4a4876
                                                    • Opcode Fuzzy Hash: 541d747014368a8d14c81d6168bc828bec7d0c451c1a0a9179e5bcfae9a219d0
                                                    • Instruction Fuzzy Hash: 5791B2356087418BEB10DF28C880A2BB7E2EFD8754F19892DE4C497366D735EC51CB9A
                                                    Function 00401A7B Relevance: .3, Instructions: 277COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 89517c33762e9bcf5175ddcbed9ffd07013c1271baad59252f6856e3dca12045
                                                    • Instruction ID: 6b2feca60294e4fd8b644ac739d48bb423d146197eb798e1530de63304511825
                                                    • Opcode Fuzzy Hash: 89517c33762e9bcf5175ddcbed9ffd07013c1271baad59252f6856e3dca12045
                                                    • Instruction Fuzzy Hash: 39A1E872A083008BC319DE14C54066FBBE2EBD4750F248A2EF895A73E0E679DD058BC6
                                                    Function 0042B850 Relevance: .3, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e91e7ef5012a9d6f7092305a30775ca8665cfd1060600a9717cecbd03c80fc77
                                                    • Instruction ID: 98981493e3bba88d88019772288aa59a6c7c60659fee8d0993b67705b7f9d430
                                                    • Opcode Fuzzy Hash: e91e7ef5012a9d6f7092305a30775ca8665cfd1060600a9717cecbd03c80fc77
                                                    • Instruction Fuzzy Hash: 9381CDB02083118BC724DF19D8A0B2BB7F1FF96344F444A1DE5C68B361E7399944CB9A
                                                    Function 0041385E Relevance: .3, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9fa7438fc35eff4103cb348c4798658d56a2b13ce8f8a4a4dabf966cb44a435
                                                    • Instruction ID: 69f8453038c0fe0e3fec84876262e0de3ed6a4bdd41f35798ff1fefeb4f883ac
                                                    • Opcode Fuzzy Hash: b9fa7438fc35eff4103cb348c4798658d56a2b13ce8f8a4a4dabf966cb44a435
                                                    • Instruction Fuzzy Hash: 8C71BEB1A083418BD725CF18C4806ABB7F5AFDA314F08091EE58597351EB78DD86CB9A
                                                    Function 00406830 Relevance: .2, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1db54d4ccd1b0cbe6f4b26b2980aba524f0ebea1979bd1db9c0b947cd43275ed
                                                    • Instruction ID: e56af9b0e153743ceab91331a75cb0f06527d55caab59bb05a74ce773cb9edf0
                                                    • Opcode Fuzzy Hash: 1db54d4ccd1b0cbe6f4b26b2980aba524f0ebea1979bd1db9c0b947cd43275ed
                                                    • Instruction Fuzzy Hash: FD71D0FB11AA6295C3155B095611723F671AFC0700B37D22B892BA7798F739E432938F
                                                    Function 0042C830 Relevance: .2, Instructions: 208COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b73b2d9308f3d656b6a2a7a0a6748ad591a4be7fffd786f8a8edbc0aa11dd86d
                                                    • Instruction ID: 8665ae8d2ef4274cefd69b00516bffaa4150326f41b5a73b9714f1fca0237846
                                                    • Opcode Fuzzy Hash: b73b2d9308f3d656b6a2a7a0a6748ad591a4be7fffd786f8a8edbc0aa11dd86d
                                                    • Instruction Fuzzy Hash: 725137B2B083285FD714DF25988571FBAD5ABC0718F49C12EE49987381D778DD0583DA
                                                    Function 004397D0 Relevance: .2, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
                                                    • Instruction ID: b52e2e638bb83260e349708a2177c42ab19b851cb4a349905f271aa67ae4f37e
                                                    • Opcode Fuzzy Hash: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
                                                    • Instruction Fuzzy Hash: 00515BB15087548FE314DF29D89435BBBE1BBC8318F044A2EE5E987351E379DA088B86
                                                    Function 00405910 Relevance: .2, Instructions: 169COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b304f1c3acf7e055eea70898bf7f3b51e78e85610922dbae80221be761240bc0
                                                    • Instruction ID: 84600a5a72d41224035c938b17b57d4d78ca880ef0856468fb4886854bf3a8b4
                                                    • Opcode Fuzzy Hash: b304f1c3acf7e055eea70898bf7f3b51e78e85610922dbae80221be761240bc0
                                                    • Instruction Fuzzy Hash: 265194B5A04601DFC714DF18C880927B7A1FF89324F15467DE89AAB392D635EC42CF96
                                                    Function 0042A94A Relevance: .2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4097c4d668b07840a08841d5ba5a022cdbd81fdd918845e7a00fe092733f14c0
                                                    • Instruction ID: da890686cfddcd47ea3fff0e897f1dfe52e0e210aa17af2cb442aa14314c51bf
                                                    • Opcode Fuzzy Hash: 4097c4d668b07840a08841d5ba5a022cdbd81fdd918845e7a00fe092733f14c0
                                                    • Instruction Fuzzy Hash: 4E51C6B16083018FC718CF29D89062BB7E1BBC9314F598A2DE99AD3391D734E911CB4A
                                                    Function 00409A1B Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef44cdcc7bcae8af0dbe58a88dd9cccf6d427f416859e83725aacb9156ea9fd7
                                                    • Instruction ID: 4b23259ba79ec0a1913fcbf3f108ef29bdc6421fdcdca44d4b9fd66bd4c4db29
                                                    • Opcode Fuzzy Hash: ef44cdcc7bcae8af0dbe58a88dd9cccf6d427f416859e83725aacb9156ea9fd7
                                                    • Instruction Fuzzy Hash: 75514F3510D380DFC345CB28888055FBFA2AFEA204F898AADF4C457392C274DA55DB9B
                                                    Function 00442660 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecafd30ecd7930da6313a0b2cb8eb323e6db9b63088d15aa7e554d3f24f13c9d
                                                    • Instruction ID: 714100fce6a6a794f8c4bb85f04cc778d4cc8dd0a5b9ce25332e30678837f1e3
                                                    • Opcode Fuzzy Hash: ecafd30ecd7930da6313a0b2cb8eb323e6db9b63088d15aa7e554d3f24f13c9d
                                                    • Instruction Fuzzy Hash: F7316B36A0C6200BD71CDE2885A013BF7E59FD9714F49866FD8CBA7351DA749D0087C5
                                                    Function 004111F0 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 050f3d1b8287ff37b6e4b7f8afd4813e4f7f9337777db314c5a9f777fd1047af
                                                    • Instruction ID: 15a77a96e745bd93e006d73bc174308c37c32b65b7ff0fe062d82c29fcd21286
                                                    • Opcode Fuzzy Hash: 050f3d1b8287ff37b6e4b7f8afd4813e4f7f9337777db314c5a9f777fd1047af
                                                    • Instruction Fuzzy Hash: F341017261C2940FD3189B3E8C9426ABBD2ABC6310F18876EF1F6C63E5E638C546D715
                                                    Function 00421480 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae63690fab8c949ee8865829c966e35f6a4ebb0857d76466a2797e55f962ba03
                                                    • Instruction ID: 349dccd50d9dfb68e302af2f56dbe935bef85b49f522fe413797f301a3980c70
                                                    • Opcode Fuzzy Hash: ae63690fab8c949ee8865829c966e35f6a4ebb0857d76466a2797e55f962ba03
                                                    • Instruction Fuzzy Hash: 9D31D1716083109BC310EF28D49196BB7F5EFA6764F45891EE4CA87361E338D944CBAA
                                                    Function 0042B6C3 Relevance: .1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 588cb8c7d273cc64918444ca8a87a3a84a6c3ae80f003652835973a56b607b3f
                                                    • Instruction ID: c3e4db7110fe74d7d075b367fd37a6a76309301a8d0318332100a478a0112648
                                                    • Opcode Fuzzy Hash: 588cb8c7d273cc64918444ca8a87a3a84a6c3ae80f003652835973a56b607b3f
                                                    • Instruction Fuzzy Hash: 1A418878608311DBC3209F28E89162FB7F1FFCA345F44492DE49597262E338E854CB9A
                                                    Function 00444990 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 27c1b670d2361d1079ba90a41ef7744faa605d83241963ebbe2d09396b56bdf0
                                                    • Instruction ID: ea52048f1a944e16fba5ba437e0a6a3c7f7d5b2976194f613a2e00922ab37631
                                                    • Opcode Fuzzy Hash: 27c1b670d2361d1079ba90a41ef7744faa605d83241963ebbe2d09396b56bdf0
                                                    • Instruction Fuzzy Hash: CF21EC35A48302ABE710CF14C880A6BB7F6EBC5710F15892DE894A7356E334ED01CB9A
                                                    Function 00406DB0 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 96c34292e138f7faf82d3d20b2d687582c3beb73828cc30e3ad7d79698e550c3
                                                    • Instruction ID: 4979a74e44f8425b987ba4bf2603c482b53390088c99a33d65bc3a89c68843e6
                                                    • Opcode Fuzzy Hash: 96c34292e138f7faf82d3d20b2d687582c3beb73828cc30e3ad7d79698e550c3
                                                    • Instruction Fuzzy Hash: D811BE3AB102714BEB188E65DCE157A3353EBC632570B013ECA87AB2D5CE34E821D295
                                                    Function 00440FC0 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76e8897a1c1fd68eae7644ce18fb1d6efa6cf4f477d11d3073f6c08448a7253f
                                                    • Instruction ID: 10949335c6e8db7529d2d355206a60eda3894a8edbefd203bb6c40a8b0bfda69
                                                    • Opcode Fuzzy Hash: 76e8897a1c1fd68eae7644ce18fb1d6efa6cf4f477d11d3073f6c08448a7253f
                                                    • Instruction Fuzzy Hash: 9421057550D240DBD308EF15E861A2BBBF1EFAA304F058A2DE4C607691DB39D811CB8B
                                                    Function 004377C0 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                    • Instruction ID: b9e4f460adacbcdd6ffe89789d9a29c015f18a9eab9e8059a9a03bef9643be00
                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                    • Instruction Fuzzy Hash: 9A112C33B491D40EC3269D3C8444565BF930A97334F29939AF4F4972D2D6268D8AC369
                                                    Function 0042CC00 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 169fe864ddc4952e885a2c6b5dcf54bcc3d4a26b14dd1ea5cca18845d8bd715f
                                                    • Instruction ID: 246730fd2fc7bb5b857b6a85b8ae68d273b1997aee4a0180e997dd81f9634880
                                                    • Opcode Fuzzy Hash: 169fe864ddc4952e885a2c6b5dcf54bcc3d4a26b14dd1ea5cca18845d8bd715f
                                                    • Instruction Fuzzy Hash: 390192B270031197D620AF17A5C0B2BB2A86B82718F18863ED40C57341EB79EC0482DD
                                                    Function 00419C70 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1065792dbc4dadda288b38ec78cd6294db534e3edb90cb6668cca7c4c7b3460b
                                                    • Instruction ID: 83b3dfbe2b976c6c34435edcd1f76836e7ce06c16df8a9d9fa0bff187853c2c7
                                                    • Opcode Fuzzy Hash: 1065792dbc4dadda288b38ec78cd6294db534e3edb90cb6668cca7c4c7b3460b
                                                    • Instruction Fuzzy Hash: 8DF0A7B160411067DB228A559C90BB7BBDDCB9B354F19041AE98557202E2695CC4C3ED
                                                    Function 004253CA Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ae80a75b62acee4c1593c848a833a7e86a2ca8bb8c09de1afc3019e652e2e24
                                                    • Instruction ID: c69fb40861576c9a05011dde5bc57b4bc097552761d503d246aad17bd879e000
                                                    • Opcode Fuzzy Hash: 4ae80a75b62acee4c1593c848a833a7e86a2ca8bb8c09de1afc3019e652e2e24
                                                    • Instruction Fuzzy Hash: 84F0C974A98305BFF5348F41DC43F2AB3A4E746B04F601429B741BA0E1E6E1F9558B5E
                                                    Function 0043CC60 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                    • Instruction ID: 62fdf93d340c72280b8107e611c3cab98923324c71eb9918cc6122ee8e573641
                                                    • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                    • Instruction Fuzzy Hash: 2FD05E316483214AAB648E29A4509B7F7E0EA8BB11F49A55FF586E3258D234DC41C3AD
                                                    Function 0040E656 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ef92e27cbd43259fe9f22daf61f5ff14f2a3376329248505b34cc13503e50b9
                                                    • Instruction ID: f8bc9fb6d49b7ae50db227d7975ed3b8fa61ad3e1706285a094074cf915fa8cb
                                                    • Opcode Fuzzy Hash: 7ef92e27cbd43259fe9f22daf61f5ff14f2a3376329248505b34cc13503e50b9
                                                    • Instruction Fuzzy Hash: 90D0A72164441147C71C8D3CCCE26F873A75BD2215F48622D5013C65C6DD7D811B8604
                                                    Function 004331ED Relevance: 84.1, APIs: 1, Strings: 47, Instructions: 149memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: AllocString
                                                    • String ID: $!$#$%$'$($)$+$-$/$0$0$1$2$3$5$7$9$;$<$<$=$?$@$B$D$G$G$I$K$O$O$Q$Q$Y$\$\$]$]$a$n$n$q$r$s$u$v
                                                    • API String ID: 2525500382-2316561823
                                                    • Opcode ID: b604179f1e1779d0420cfeffb26bd550e70109aa8d07c068dc570fb42a07ddc5
                                                    • Instruction ID: c5a3b74fb0c69f55495ff260317141503591dd28b9b0a4eb816a26b0d4f394c1
                                                    • Opcode Fuzzy Hash: b604179f1e1779d0420cfeffb26bd550e70109aa8d07c068dc570fb42a07ddc5
                                                    • Instruction Fuzzy Hash: 8191926010D7C1CDE332DB28C44879FBEE16BA6348F18499ED5D94B392C7BA8549CB27
                                                    Function 00431EF6 Relevance: 56.2, APIs: 1, Strings: 31, Instructions: 162memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: AllocString
                                                    • String ID: !$#$%$&$'$($)$+$,$-$/$0$1$3$5$7$9$9$;$=$?$E$E$H$L$O$O$S$e$f$g
                                                    • API String ID: 2525500382-2112282509
                                                    • Opcode ID: 630f98c62b5d8aafd47d5c318cd602495b81b7e9ae0fff3c7cf6dacbbdabd989
                                                    • Instruction ID: cc694c5ee965059b759d8dc414ddac769d36221416d81d681235032b7254c5ce
                                                    • Opcode Fuzzy Hash: 630f98c62b5d8aafd47d5c318cd602495b81b7e9ae0fff3c7cf6dacbbdabd989
                                                    • Instruction Fuzzy Hash: 66A1A07000CBC5CAD3329A2895887DFBFD15BA6328F084A9DE1E84B3D2D7B94549C767
                                                    Function 004336EC Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit
                                                    • String ID: Q$S$U$V$W$Y$[$]$_$a$c$e$g
                                                    • API String ID: 2610073882-336139966
                                                    • Opcode ID: 6fa014d9318d415b54d9ee3a6d1c08e26a4444c171dc9409b021b14561fd21a1
                                                    • Instruction ID: 902933c323b5c439b3e4bfa6bb74ef9ed7566ebe73ae92ea5607c7b364a2fdf4
                                                    • Opcode Fuzzy Hash: 6fa014d9318d415b54d9ee3a6d1c08e26a4444c171dc9409b021b14561fd21a1
                                                    • Instruction Fuzzy Hash: C731F46400C7C0DED362DB28859870FFFD05B9A329F485A8DF4E84B2D2C7A98549CB27
                                                    Function 00433DAE Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit
                                                    • String ID: Q$S$U$V$W$Y$[$]$_$a$c$e$g
                                                    • API String ID: 2610073882-336139966
                                                    • Opcode ID: e915fa10a2969efea73bb9dedfc0eef415a5d6b6c8e48d2a8f3c9a476faa1c69
                                                    • Instruction ID: 951b67dac9369e8281b9016b7b67e6a73f483ed8d1d63cf69136cfcf24e0fe68
                                                    • Opcode Fuzzy Hash: e915fa10a2969efea73bb9dedfc0eef415a5d6b6c8e48d2a8f3c9a476faa1c69
                                                    • Instruction Fuzzy Hash: 1731C46000C7C0DED362DB2C849861FBFD05BA6329F581A9DF4E94A2D2C7658545CB27
                                                    Function 00430BB9 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit
                                                    • String ID: A$C$E$G$I$K$u$v$w$y${$}
                                                    • API String ID: 2610073882-2408785072
                                                    • Opcode ID: c1a8960b9d3bb2eb80ae371d27c5397c45177d1fb28a0eaff059d0d4717a8757
                                                    • Instruction ID: c4d05145f4afd4a50d356701effe5adf7006aa98f706be198e0e92a482b60cc5
                                                    • Opcode Fuzzy Hash: c1a8960b9d3bb2eb80ae371d27c5397c45177d1fb28a0eaff059d0d4717a8757
                                                    • Instruction Fuzzy Hash: 0C41117000C7C18ED362DB28809875FBFE0ABA6218F485E5DF4E94B392C7799509CB63
                                                    Function 0043155B Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit
                                                    • String ID: A$C$E$G$I$K$u$v$w$y${$}
                                                    • API String ID: 2610073882-2408785072
                                                    • Opcode ID: 43c2648e8868d20c0e47c34cbf44d204abeae84971f07689060d563013f8179b
                                                    • Instruction ID: a84687eec032f7c8c23da8e286f8a6d5cd3e4771f01d70cef0b743f9f2883db3
                                                    • Opcode Fuzzy Hash: 43c2648e8868d20c0e47c34cbf44d204abeae84971f07689060d563013f8179b
                                                    • Instruction Fuzzy Hash: 6141F67040C7C19ED361DB28808875FBFE06BA6218F481A5DF5E54B3A2C7799505CB63
                                                    Function 004325B8 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit
                                                    • String ID: "$:$C$E$E$L$M$U$^$_
                                                    • API String ID: 2610073882-213040874
                                                    • Opcode ID: bfe26a4d7d2d74e057547bb00dfb683fd5242a9eef363f82847dd2b3b6112fa1
                                                    • Instruction ID: aeb86a5304e490c91c92eaa1ffa2a77e3d55db7a7b27f00c726cb152056b46f8
                                                    • Opcode Fuzzy Hash: bfe26a4d7d2d74e057547bb00dfb683fd5242a9eef363f82847dd2b3b6112fa1
                                                    • Instruction Fuzzy Hash: 5141B17000C7C18ED3329B38855979BBFE0ABA6324F048A9DE4E9873D2CB748505DB63
                                                    Function 00431773 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: InitVariant
                                                    • String ID: )$+$-$/$1$3$5$6$7
                                                    • API String ID: 1927566239-358129330
                                                    • Opcode ID: 0ea3fdfbcc4008a7c5bafaac40808199bbb937aa6d46fd5723f17cd370f155c0
                                                    • Instruction ID: baaba33a3257e9346e4fc850ab524f06a21c724cc955a6502bbf775c3c04862c
                                                    • Opcode Fuzzy Hash: 0ea3fdfbcc4008a7c5bafaac40808199bbb937aa6d46fd5723f17cd370f155c0
                                                    • Instruction Fuzzy Hash: AD31D57010C3C28ED331DB28C458BAFBBE0AB96314F048D6EE4EA57292D6B99505DB57
                                                    Function 00431900 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: String
                                                    • String ID: !$'$*$U$`$d$u
                                                    • API String ID: 2568140703-1018339559
                                                    • Opcode ID: 598cbf16af6298d7c1a9c9da71668084f810fb219f96cdec55364d2e05da010e
                                                    • Instruction ID: 117bbdce8176ffd1276924e32036fd7270300a7f4665680a6f487d04281282dd
                                                    • Opcode Fuzzy Hash: 598cbf16af6298d7c1a9c9da71668084f810fb219f96cdec55364d2e05da010e
                                                    • Instruction Fuzzy Hash: A46184716087D08FC735DE2CC4503AEB6E2AFD9324F194A2EE4EA973D1DA399801C756
                                                    Function 00411874 Relevance: 9.2, APIs: 6, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411A56
                                                    • ExitProcess.KERNEL32(00000003), ref: 00411A76
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411A96
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411AB6
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411AF1
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411B11
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: 4dcc8c219abed9a18d9ae63352fd4296315ab4db157d53791751d3ccf4539c58
                                                    • Instruction ID: c2c640747f17c2d0a49a4ba3f686c517224415d64303dc4eefbdf54af61f2ad6
                                                    • Opcode Fuzzy Hash: 4dcc8c219abed9a18d9ae63352fd4296315ab4db157d53791751d3ccf4539c58
                                                    • Instruction Fuzzy Hash: 3C5195B46093409BE320EB65AC91B9F77E5AFC835CF44093DE44957383DB389948CA5B
                                                    Function 00411B2E Relevance: 9.2, APIs: 6, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411CF4
                                                    • ExitProcess.KERNEL32(00000003), ref: 00411D14
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411D34
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411D54
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411D8F
                                                    • ExitProcess.KERNEL32(00000001), ref: 00411DAF
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: 4f56a865cb4285b81b4429889d56d333f013488773c0bd919c6bd6570b5a9ec3
                                                    • Instruction ID: 48ca39626bf6541d1e311881277080fa1b3707daefad267618642837951fea99
                                                    • Opcode Fuzzy Hash: 4f56a865cb4285b81b4429889d56d333f013488773c0bd919c6bd6570b5a9ec3
                                                    • Instruction Fuzzy Hash: 7B51C8B46093809BE220FB55A851BAF77E2AFC931CF44092DF44967382DB38A545CA5B
                                                    Function 00411DCF Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 441COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: Uninitialize
                                                    • String ID: <$HWRY$X0
                                                    • API String ID: 3861434553-2859900378
                                                    • Opcode ID: 09674b4d459f33da620ca18d11d19b716527a5c0a971a35fef4034c5a34a7a11
                                                    • Instruction ID: c178f9f484a8f36bf57d43fd5f67e852f2a7dbdfdbcc63b7355af7c5a491a859
                                                    • Opcode Fuzzy Hash: 09674b4d459f33da620ca18d11d19b716527a5c0a971a35fef4034c5a34a7a11
                                                    • Instruction Fuzzy Hash: 98E1CCB94093909BD730CF25D49479BBBE2AFCA304F088A5DE8C95B355C7389945CB8B
                                                    Function 0043ACD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(00448100,00000000,00000001,004480F0,00000000), ref: 0043ACF6
                                                    • CoCreateInstance.OLE32(00448100,00000000,00000001,004480F0,00000000), ref: 0043AD42
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2306517943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                    Similarity
                                                    • API ID: CreateInstance
                                                    • String ID: \
                                                    • API String ID: 542301482-2967466578
                                                    • Opcode ID: 63a2c3b3162b2c9892f2d763949490ac2e26b6f3f40d0521f6e98b97014733f7
                                                    • Instruction ID: 7edd22554fc71cad2ea02e2e74c246edba0fcd1a411a9d0664b0c2697e57ee86
                                                    • Opcode Fuzzy Hash: 63a2c3b3162b2c9892f2d763949490ac2e26b6f3f40d0521f6e98b97014733f7
                                                    • Instruction Fuzzy Hash: 8EF014B4298342AFF320DF40DC59B5FBAE4BB85709F10491DF294591D0CBF9954C8B9A