Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Jaws.exe

Overview

General Information

Sample name:Jaws.exe
Analysis ID:1534241
MD5:82a93f4476efbfee119eb6cec32b0e8d
SHA1:447aa1e180bd5d26388bbdb699ecae2477d24162
SHA256:2d42e49addb09860700c9862f7416ee6da56a06d5a8580bede68ae7dac28993a
Tags:exeStealcstealeruser-kddx0178318
Infos:

Detection

Stealc
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Jaws.exe (PID: 5376 cmdline: "C:\Users\user\Desktop\Jaws.exe" MD5: 82A93F4476EFBFEE119EB6CEC32B0E8D)
    • BitLockerToGo.exe (PID: 4340 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://45.66.248.237/9e6547173a597645.php", "Botnet": "s5"}
SourceRuleDescriptionAuthorStrings
00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
    00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2306788327.0000000002A8E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2306788327.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000001.00000002.2522728061.00000000029F2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            Click to see the 5 entries
            SourceRuleDescriptionAuthorStrings
            1.2.BitLockerToGo.exe.2990000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
              0.2.Jaws.exe.2be2000.6.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.2.Jaws.exe.2a3a000.5.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  0.2.Jaws.exe.2a3a000.5.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    0.2.Jaws.exe.2be2000.6.unpackJoeSecurity_StealcYara detected StealcJoe Security
                      Click to see the 1 entries
                      No Sigma rule has matched
                      No Suricata rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 00000000.00000002.2306788327.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://45.66.248.237/9e6547173a597645.php", "Botnet": "s5"}
                      Source: Jaws.exeReversingLabs: Detection: 55%
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Source: Jaws.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Jaws.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: BitLockerToGo.pdb source: Jaws.exe, 00000000.00000002.2306788327.00000000029FE000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: BitLockerToGo.pdbGCTL source: Jaws.exe, 00000000.00000002.2306788327.00000000029FE000.00000004.00001000.00020000.00000000.sdmp

                      Networking

                      barindex
                      Source: Malware configuration extractorURLs: http://45.66.248.237/9e6547173a597645.php
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.66.248.237Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewASN Name: FREERANGECLOUDCA FREERANGECLOUDCA
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.237
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.66.248.237Connection: Keep-AliveCache-Control: no-cache
                      Source: BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.66.248.237
                      Source: BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.66.248.237/
                      Source: BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.66.248.237/;
                      Source: Jaws.exe, program.js.0.drString found in binary or memory: http://json-schema.org/draft-07/schema
                      Source: program.js.0.drString found in binary or memory: http://json-schema.org/draft-07/schema#
                      Source: Jaws.exe, program.js.0.drString found in binary or memory: http://json-schema.org/schema
                      Source: Jaws.exeString found in binary or memory: https://GOMIPS64rva20u64rva22u64.satconv.signext00000000proto:
                      Source: Jaws.exe, program.js.0.drString found in binary or memory: https://aws.amazon.com
                      Source: Jaws.exeString found in binary or memory: https://doi.org/GTB
                      Source: Jaws.exe, program.js.0.drString found in binary or memory: https://github.com/aws/jsii
                      Source: Jaws.exe, program.js.0.drString found in binary or memory: https://github.com/aws/jsii.git
                      Source: Jaws.exe, program.js.0.drString found in binary or memory: https://github.com/aws/jsii/issues
                      Source: program.js.0.drString found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
                      Source: program.js.0.drString found in binary or memory: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#
                      Source: Jaws.exe, 00000000.00000002.2306788327.00000000029FE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Jaws.exe
                      Source: Jaws.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/1
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_029A8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_029A8680
                      Source: C:\Users\user\Desktop\Jaws.exeFile created: C:\Users\user\AppData\Local\Temp\jsii-runtime.656451430Jump to behavior
                      Source: Jaws.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Jaws.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Jaws.exeReversingLabs: Detection: 55%
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain
                      Source: Jaws.exeString found in binary or memory: $github.com/mmcloughlin/addchain/meta
                      Source: Jaws.exeString found in binary or memory: $*descriptor.FileOptions_OptimizeMode$*func(*gob.encEngine) *gob.encEngine$*map.bucket[reflect.Type]gob.gobType$github.com/mmcloughlin/addchain/meta%*struct { F uintptr; X0 *sync.Mutex }
                      Source: Jaws.exeString found in binary or memory: &github.com/mmcloughlin/addchain/acc/ir
                      Source: Jaws.exeString found in binary or memory: 'github.com/mmcloughlin/addchain/acc/ast
                      Source: Jaws.exeString found in binary or memory: '*atomic.Pointer[encoding/gob.encEngine]'*struct { F uintptr; X0 *gob.typeInfo }'github.com/mmcloughlin/addchain/acc/ast(*func(*bisect.dedup, *bisect.dedup) bool
                      Source: Jaws.exeString found in binary or memory: (github.com/mmcloughlin/addchain/acc/pass
                      Source: Jaws.exeString found in binary or memory: (*descriptor.GeneratedCodeInfo_Annotation(github.com/mmcloughlin/addchain/acc/pass(*struct { F uintptr; X0 int; X1 string })validateSetNetworkConfigurationParameters
                      Source: Jaws.exeString found in binary or memory: .github.com/mmcloughlin/addchain/internal/print
                      Source: Jaws.exeString found in binary or memory: .github.com/mmcloughlin/addchain/internal/print/*awsapprunner.jsiiProxy_CfnVpcIngressConnection/validateSetObservabilityConfigurationParameters
                      Source: Jaws.exeString found in binary or memory: Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchain
                      Source: Jaws.exeString found in binary or memory: Span>protobuf:"varint,2,rep,packed,name=span" json:"span,omitempty"Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchainC*struct { F uintptr; X0 *gob.encOp; X1 *gob.encOp; X2 int; X3 int }
                      Source: Jaws.exeString found in binary or memory: merge_operatormax_open_filesmem_table_sizebytes_per_syncmin_flush_rateGetSystemTimesresources/bin/resources/lib/fragment-startfragment-end %p: %02d/%02d
                      Source: Jaws.exeString found in binary or memory: gogoproto.protosizergogoproto.customtypegogoproto.customnamegogoproto.wktpointerinvalid map key typeJavaOuterClassname: PhpGenericServices: invalid nil Durationmmcloughlin/addchainBSD 3-Clause LicenseMorocco Standard TimeNamibia Standard TimeAlaskan Standard TimeCentral Standard TimePacific Standard TimeEastern Standard TimeSE Asia Standard TimeArabian Standard TimeMagadan Standard TimeMyanmar Standard TimeYakutsk Standard TimeBelarus Standard TimeRussian Standard TimeRomance Standard TimeSaratov Standard TimeNorfolk Standard Timetime zone offset hourinstanceConfigurationInstanceConfigurationrepositoryDescriptionrepositoryCloneUrlGrcrepositoryCloneUrlSshBRANCH_OR_TAG_CREATEDBRANCH_OR_TAG_DELETEDBRANCH_OR_TAG_UPDATEDRepositoryDescriptionRepositoryCloneUrlGrcRepositoryCloneUrlSshrepositoryCatalogDataRepositoryCatalogDatatrace/breakpoint trapuser defined signal 1user defined signal 2link has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleReadDirectoryChangesWNetGetJoinInformationreflect.Value.ComplexWSALookupServiceNextAWSALookupServiceNextWWSARemoveServiceClassWSCUnInstallNameSpaceWSCWriteProviderOrderWSAAsyncGetHostByAddrWSAAsyncGetHostByNameWSAAsyncGetServByPortWSAAsyncGetServByNameWSACancelAsyncRequestWSAUnhookBlockingHookWSACancelBlockingCallSafeArrayUnaccessDataSysAllocStringByteLenQueryPathOfRegTypeLibVARIANT_UserUnmarshalLPSAFEARRAY_UnmarshalSafeArrayCreateVectorOleCreateFontIndirectSami (Southern) (sma)Tajik (Cyrillic) (tg)Arabic Jordan (ar-JO)Arabic Kuwait (ar-KW)Arabic U.a.e. (ar-AE)Breton France (br-FR)Catalan Spain (ca-ES)Dutch Belgium (nl-BE)English India (en-IN)French Canada (fr-CA)French France (fr-FR)Fulah Nigeria (ff-NG)Hebrew Israel (he-IL)Irish Ireland (ga-IE)Italian Italy (it-IT)Kannada India (kn-IN)Maltese Malta (mt-MT)Marathi India (mr-IN)Polish Poland (pl-PL)Punjabi India (pa-IN)Quechua Peru (quz-PE)Sakha Russia (sah-RU)Spanish Chile (es-CL)Spanish Spain (es-ES)Syriac Syria (syr-SY)Thai Thailand (th-TH)Wolof Senegal (wo-SN)unsupported operationnegative shift amountsystem goroutine waitconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = runtime: mappedReady=runtime: totalMapped=defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionfeature not supportedhttp: invalid patternPrecondition RequiredInternal Server Errorkey is not comparableafter top-level valuein string escape codeunknown ABI part kind of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUint186264514923095703125931322574615478515625X25519Kyber768Draft00policyValidationBeta1aws-cdk-lib.CfnOutputconstraintDescriptionadministrationRoleArnregiste
                      Source: Jaws.exeString found in binary or memory: bootstrap type already present: attrObservabilityConfigurationArnAttrObservabilityConfigurationArntoo large block number: bitlen %dbytes.Buffer.Grow: negative countaws-cdk-lib.aws_ecr.CfnRepositoryaws-cdk-lib.aws_ecr.LifecycleRuleaws-cdk-lib.aws_ecr.TagMutabilityrelease of handle with refcount 0crypto/aes: output not full blockbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert short slice passed to readGCStatsruntime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeapplication/x-www-form-urlencodedhttp: multiple registrations for reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length 142108547152020037174224853515625710542735760100185871124267578125aws-cdk-lib.CfnHookDefaultVersionaws-cdk-lib.CfnModuleVersionPropsaws-cdk-lib.CfnTrafficRoutingTypeaws-cdk-lib.CfnWaitConditionPropsaws-cdk-lib.GetContextValueResultaws-cdk-lib.IFragmentConcatenatoraws-cdk-lib.IStableNumberProduceraws-cdk-lib.IStableStringProduceraws-cdk-lib.SizeConversionOptionsaws-cdk-lib.StageSynthesisOptionsaws-cdk-lib.TimeConversionOptionsrlp: non-canonical integer formatcan't Reset derived EncoderBufferaws-cdk-lib.aws_events.CfnArchiveaws-cdk-lib.aws_events.Connectionaws-cdk-lib.aws_events.EventFieldaws-cdk-lib.aws_events.HttpMethodattrPermissionsBoundaryUsageCountaws-cdk-lib.aws_iam.CfnRolePolicyaws-cdk-lib.aws_iam.CfnUserPolicyaws-cdk-lib.aws_iam.ManagedPolicyaws-cdk-lib.aws_iam.PrincipalBaseaws-cdk-lib.aws_iam.SamlPrincipalaws-cdk-lib.aws_iam.StarPrincipalaws-cdk-lib.aws_iam.CfnGroupPropsAttrPermissionsBoundaryUsageCountaws-cdk-lib.aws_iam.ISamlProvideraws-cdk-lib.aws_iam.LazyRolePropsaws-cdk-lib.aws_kms.CfnReplicaKeyaws-cdk-lib.aws_kms.CfnAliasPropsFloat.GobDecode: buffer too smallCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropert
                      Source: Jaws.exeString found in binary or memory: bootstrap type already present: attrObservabilityConfigurationArnAttrObservabilityConfigurationArntoo large block number: bitlen %dbytes.Buffer.Grow: negative countaws-cdk-lib.aws_ecr.CfnRepositoryaws-cdk-lib.aws_ecr.LifecycleRuleaws-cdk-lib.aws_ecr.TagMutabilityrelease of handle with refcount 0crypto/aes: output not full blockbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert short slice passed to readGCStatsruntime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeapplication/x-www-form-urlencodedhttp: multiple registrations for reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length 142108547152020037174224853515625710542735760100185871124267578125aws-cdk-lib.CfnHookDefaultVersionaws-cdk-lib.CfnModuleVersionPropsaws-cdk-lib.CfnTrafficRoutingTypeaws-cdk-lib.CfnWaitConditionPropsaws-cdk-lib.GetContextValueResultaws-cdk-lib.IFragmentConcatenatoraws-cdk-lib.IStableNumberProduceraws-cdk-lib.IStableStringProduceraws-cdk-lib.SizeConversionOptionsaws-cdk-lib.StageSynthesisOptionsaws-cdk-lib.TimeConversionOptionsrlp: non-canonical integer formatcan't Reset derived EncoderBufferaws-cdk-lib.aws_events.CfnArchiveaws-cdk-lib.aws_events.Connectionaws-cdk-lib.aws_events.EventFieldaws-cdk-lib.aws_events.HttpMethodattrPermissionsBoundaryUsageCountaws-cdk-lib.aws_iam.CfnRolePolicyaws-cdk-lib.aws_iam.CfnUserPolicyaws-cdk-lib.aws_iam.ManagedPolicyaws-cdk-lib.aws_iam.PrincipalBaseaws-cdk-lib.aws_iam.SamlPrincipalaws-cdk-lib.aws_iam.StarPrincipalaws-cdk-lib.aws_iam.CfnGroupPropsAttrPermissionsBoundaryUsageCountaws-cdk-lib.aws_iam.ISamlProvideraws-cdk-lib.aws_iam.LazyRolePropsaws-cdk-lib.aws_kms.CfnReplicaKeyaws-cdk-lib.aws_kms.CfnAliasPropsFloat.GobDecode: buffer too smallCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropert
                      Source: Jaws.exeString found in binary or memory: pebble/table: %d: unknown merger %spebble: invalid call to virtualLast%d extra bits on block, should be 0can only encode up to 64K sequenceszero matchoff and matchlen (%d) > 0proto: internal error: bad wiretypeduration: %#v: seconds out of rangebad type for XXX_extensions field: protobuf tag field not an integer: cockroach.errorspb.EncodedErrorLeaftruncated input (or invalid offset)file %q has a name conflict over %vfound wrong type: got %v, want enumvarint,62022,opt,name=enum_stringervarint,63017,opt,name=marshaler_allgogoproto.goproto_enum_stringer_allvarint,64004,opt,name=verbose_equaldelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagegoogle.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{\A[_\pL][_\pL\p{Nd}]*(\.\.\.|\?)?\zTime.UnmarshalBinary: invalid lengthattrAutoScalingConfigurationRevisionaws-cdk-lib.aws_apprunner.CfnServiceAttrAutoScalingConfigurationRevisionlocale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
                      Source: Jaws.exeString found in binary or memory: pebble/table: %d: unknown merger %spebble: invalid call to virtualLast%d extra bits on block, should be 0can only encode up to 64K sequenceszero matchoff and matchlen (%d) > 0proto: internal error: bad wiretypeduration: %#v: seconds out of rangebad type for XXX_extensions field: protobuf tag field not an integer: cockroach.errorspb.EncodedErrorLeaftruncated input (or invalid offset)file %q has a name conflict over %vfound wrong type: got %v, want enumvarint,62022,opt,name=enum_stringervarint,63017,opt,name=marshaler_allgogoproto.goproto_enum_stringer_allvarint,64004,opt,name=verbose_equaldelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagegoogle.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{\A[_\pL][_\pL\p{Nd}]*(\.\.\.|\?)?\zTime.UnmarshalBinary: invalid lengthattrAutoScalingConfigurationRevisionaws-cdk-lib.aws_apprunner.CfnServiceAttrAutoScalingConfigurationRevisionlocale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
                      Source: Jaws.exeString found in binary or memory: Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.You have encountered an unexpected error.
                      Source: Jaws.exeString found in binary or memory: Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.You have encountered an unexpected error.
                      Source: Jaws.exeString found in binary or memory: Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes.Stack memory allocated by the underlying operating system. In non-cgo programs this metric is currently zero. This may change in the future.In cgo programs this metric includes OS thread stacks allocated directly from the OS. Currently, this only accounts for one stack in c-shared and c-archive build modes, and other sources of stacks from the OS are not measured. This too may change in the future.Estimated total CPU time spent with the application paused by the GC. Even if only one thread is running during the pause, this is computed as GOMAXPROCS times the pause latency because nothing else can be executing. This is the exact sum of samples in /sched/pauses/total/gc:seconds if each sample is multiplied by GOMAXPROCS at the time it is taken. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.----AdlmAfakAghbAhomArabAranArmiArmnAvstBaliBamuBassBatkBengBhksBlisBopoBrahBraiBugiBuhdCakmCansCariChamCherChrsCirtCoptCpmnCprtCyrlCyrsDevaDiakDogrDsrtDuplEgydEgyhEgypElbaElymEthiGeokGeorGlagGongGonmGothGranGrekGujrGuruHanbHangHaniHanoHansHantHatrHebrHiraHluwHmngHmnpHrktHungIndsItalJamoJavaJpanJ
                      Source: Jaws.exeString found in binary or memory: Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes.Stack memory allocated by the underlying operating system. In non-cgo programs this metric is currently zero. This may change in the future.In cgo programs this metric includes OS thread stacks allocated directly from the OS. Currently, this only accounts for one stack in c-shared and c-archive build modes, and other sources of stacks from the OS are not measured. This too may change in the future.Estimated total CPU time spent with the application paused by the GC. Even if only one thread is running during the pause, this is computed as GOMAXPROCS times the pause latency because nothing else can be executing. This is the exact sum of samples in /sched/pauses/total/gc:seconds if each sample is multiplied by GOMAXPROCS at the time it is taken. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.----AdlmAfakAghbAhomArabAranArmiArmnAvstBaliBamuBassBatkBengBhksBlisBopoBrahBraiBugiBuhdCakmCansCariChamCherChrsCirtCoptCpmnCprtCyrlCyrsDevaDiakDogrDsrtDuplEgydEgyhEgypElbaElymEthiGeokGeorGlagGongGonmGothGranGrekGujrGuruHanbHangHaniHanoHansHantHatrHebrHiraHluwHmngHmnpHrktHungIndsItalJamoJavaJpanJ
                      Source: Jaws.exeString found in binary or memory: depgithub.com/hashicorp/hc-installv0.9.0h1:2dIk8LcvANwtv3QZLckxcjyF5w8KVtiMxu6G6eLhghE=
                      Source: Jaws.exeString found in binary or memory: depgithub.com/mmcloughlin/addchainv0.4.0h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY=
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Equal
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.EqualInt64
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Pow2
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.One
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Mask
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Ones
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Contains
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Index
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).AppendClone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.End
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.Ops
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.Op
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.Program
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Zero
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.Validate
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.Produces
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.Superset
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Chain.IsAscending
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Op.IsDouble
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Op.Operands
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Op.Uses
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Shift
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Double
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Add
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Program.boundscheck
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Program.Doubles
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Program.Count
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Program.Adds
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Program.Evaluate
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.New
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Program.ReadCounts
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.Program.Dependencies
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).End
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).IsAscending
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Op
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Ops
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Produces
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Program
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Superset
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Validate
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Op).IsDouble
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Operands
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Uses
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Adds
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Count
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Dependencies
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Doubles
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Evaluate
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain.(*Program).ReadCounts
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).AddInstruction
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Output
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Operands
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Inputs
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Inputs
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Inputs
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.String
                      Source: Jaws.exeString found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Operand
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Operands
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Output
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Inputs
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Inputs
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).String
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Clone
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Inputs
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).String
                      Source: Jaws.exeString found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Instruction
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.AssertionFailure
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Linef
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).NL
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Printf
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).SetError
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.NewTabWriter
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.New
                      Source: Jaws.exeString found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.Printer
                      Source: Jaws.exeString found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.TabWriter
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.Identifier.Precedence
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.(*Identifier).Precedence
                      Source: Jaws.exeString found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ast.Statement
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryValues
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameOperands
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryRuns
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.NameOperands.func4
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.func2
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.NameOperands.func3
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.func1
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Compile
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.UnexpectedType
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Eval
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Func.Execute
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Concat
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec.Concat.func1
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.CanonicalizeOperands
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.(*Func).Execute
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/bigvector.init
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.init
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).CheckCitable
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).IsRelease
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTime
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Title
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func2
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func1
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).RepositoryURL
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Module
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).DOIURL
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.doiurl
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*TabWriter).Flush
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Error
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Citation
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTag
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseURL
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ConceptDOIURL
                      Source: Jaws.exeString found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/meta.Properties
                      Source: Jaws.exeString found in binary or memory: net/addrselect.go
                      Source: Jaws.exeString found in binary or memory: github.com/aws/jsii-runtime-go@v1.103.1/internal/kernel/load.go
                      Source: Jaws.exeString found in binary or memory: github.com/decred/dcrd/dcrec/secp256k1/v4@v4.0.1/loadprecomputed.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigint/bigint.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigints/bigints.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/chain.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/program.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ir/ir.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/errutil/errutil.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/print/printer.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ast/ast.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/naming.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/eval.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/pass.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigvector/bigvector.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/meta.go
                      Source: Jaws.exeString found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/cite.go
                      Source: Jaws.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                      Source: C:\Users\user\Desktop\Jaws.exeFile read: C:\Users\user\Desktop\Jaws.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Jaws.exe "C:\Users\user\Desktop\Jaws.exe"
                      Source: C:\Users\user\Desktop\Jaws.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                      Source: C:\Users\user\Desktop\Jaws.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: Jaws.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Jaws.exeStatic file information: File size 24606720 > 1048576
                      Source: Jaws.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x97f200
                      Source: Jaws.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xd08000
                      Source: Jaws.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: BitLockerToGo.pdb source: Jaws.exe, 00000000.00000002.2306788327.00000000029FE000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: BitLockerToGo.pdbGCTL source: Jaws.exe, 00000000.00000002.2306788327.00000000029FE000.00000004.00001000.00020000.00000000.sdmp
                      Source: Jaws.exeStatic PE information: section name: .symtab
                      Source: C:\Users\user\Desktop\Jaws.exeCode function: 0_3_02C88853 push esi; ret 0_3_02C88857
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_029AB035 push ecx; ret 1_2_029AB048
                      Source: C:\Users\user\Desktop\Jaws.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_029A7ED0 GetSystemInfo,1_2_029A7ED0
                      Source: BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwaredl
                      Source: BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002DE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002DB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                      Source: Jaws.exe, 00000000.00000002.2302285658.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_029945C0 VirtualProtect ?,00000004,00000100,000000001_2_029945C0
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_029A9750 mov eax, dword ptr fs:[00000030h]1_2_029A9750
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeMemory protected: page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: Yara matchFile source: Process Memory Space: Jaws.exe PID: 5376, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 4340, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\Jaws.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2990000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2990000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 67E008Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2990000Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2991000Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29AE000Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29BB000Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2BEC000Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: GetLocaleInfoA,1_2_029A7B90
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeQueries volume information: C:\Users\user\Desktop\Jaws.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Jaws.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_029A7850 GetUserNameA,1_2_029A7850
                      Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_029A7A30 GetTimeZoneInformation,1_2_029A7A30

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 1.2.BitLockerToGo.exe.2990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2be2000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2a3a000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2a3a000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2be2000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.BitLockerToGo.exe.2990000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2306788327.0000000002A8E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2306788327.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2522728061.00000000029F2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2306788327.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2522728061.0000000002A2A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 4340, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 1.2.BitLockerToGo.exe.2990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2be2000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2a3a000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2a3a000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Jaws.exe.2be2000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.BitLockerToGo.exe.2990000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2306788327.0000000002A8E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2306788327.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2522728061.00000000029F2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2306788327.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2522728061.0000000002A2A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 4340, type: MEMORYSTR
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                      Command and Scripting Interpreter
                      1
                      DLL Side-Loading
                      311
                      Process Injection
                      1
                      Virtualization/Sandbox Evasion
                      OS Credential Dumping1
                      System Time Discovery
                      Remote ServicesData from Local System1
                      Ingress Tool Transfer
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading
                      11
                      Disable or Modify Tools
                      LSASS Memory11
                      Security Software Discovery
                      Remote Desktop ProtocolData from Removable Media1
                      Non-Application Layer Protocol
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                      Process Injection
                      Security Account Manager1
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin SharesData from Network Shared Drive11
                      Application Layer Protocol
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Obfuscated Files or Information
                      NTDS2
                      Process Discovery
                      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading
                      LSA Secrets1
                      Account Discovery
                      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
                      System Owner/User Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync32
                      System Information Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      Jaws.exe55%ReversingLabsWin32.Spyware.Stealc
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      No contacted domains info
                      NameMaliciousAntivirus DetectionReputation
                      http://45.66.248.237/9e6547173a597645.phptrue
                        unknown
                        http://45.66.248.237/true
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://doi.org/GTBJaws.exefalse
                            unknown
                            http://45.66.248.237BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmptrue
                              unknown
                              https://GOMIPS64rva20u64rva22u64.satconv.signext00000000proto:Jaws.exefalse
                                unknown
                                https://github.com/aws/jsii.gitJaws.exe, program.js.0.drfalse
                                  unknown
                                  https://github.com/aws/jsiiJaws.exe, program.js.0.drfalse
                                    unknown
                                    http://json-schema.org/draft-07/schema#program.js.0.drfalse
                                      unknown
                                      https://aws.amazon.comJaws.exe, program.js.0.drfalse
                                        unknown
                                        http://json-schema.org/schemaJaws.exe, program.js.0.drfalse
                                          unknown
                                          http://45.66.248.237/;BitLockerToGo.exe, 00000001.00000002.2523138286.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                            unknown
                                            https://github.com/aws/jsii/issuesJaws.exe, program.js.0.drfalse
                                              unknown
                                              https://github.com/jprichardson/node-fs-extra/issues/269program.js.0.drfalse
                                                unknown
                                                https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#program.js.0.drfalse
                                                  unknown
                                                  http://json-schema.org/draft-07/schemaJaws.exe, program.js.0.drfalse
                                                    unknown
                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs
                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    45.66.248.237
                                                    unknownRussian Federation
                                                    53356FREERANGECLOUDCAtrue
                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1534241
                                                    Start date and time:2024-10-15 18:14:07 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 10s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:4
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Jaws.exe
                                                    Detection:MAL
                                                    Classification:mal92.troj.evad.winEXE@3/4@0/1
                                                    EGA Information:
                                                    • Successful, ratio: 50%
                                                    HCA Information:
                                                    • Successful, ratio: 99%
                                                    • Number of executed functions: 25
                                                    • Number of non-executed functions: 2
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target Jaws.exe, PID 5376 because there are no executed function
                                                    • VT rate limit hit for: Jaws.exe
                                                    No simulations
                                                    No context
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    FREERANGECLOUDCASetup-Pro.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 45.66.249.162
                                                    forest.exeGet hashmaliciousUnknownBrowse
                                                    • 45.66.249.249
                                                    forest.exeGet hashmaliciousUnknownBrowse
                                                    • 45.66.249.249
                                                    arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 23.129.35.4
                                                    SecuriteInfo.com.Trojan.PWS.Siggen3.33653.31886.3628.exeGet hashmaliciousRaccoon Stealer v2Browse
                                                    • 193.142.147.59
                                                    SecuriteInfo.com.Trojan.PackedNET.2334.3801.19434.exeGet hashmaliciousPureLog Stealer, Raccoon Stealer v2, SmokeLoaderBrowse
                                                    • 193.142.147.59
                                                    Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse
                                                    • 193.142.147.59
                                                    http://www.brookskushman.comGet hashmaliciousUnknownBrowse
                                                    • 45.66.248.122
                                                    http://www.prestigetransportation.comGet hashmaliciousUnknownBrowse
                                                    • 45.66.248.122
                                                    https://dutchpopp.comGet hashmaliciousUnknownBrowse
                                                    • 45.66.248.122
                                                    No context
                                                    No context
                                                    Process:C:\Users\user\Desktop\Jaws.exe
                                                    File Type:C++ source, ASCII text, with very long lines (324), with escape sequences
                                                    Category:dropped
                                                    Size (bytes):138639
                                                    Entropy (8bit):4.286369825068587
                                                    Encrypted:false
                                                    SSDEEP:1536:ZMjsdRCCXpnzopj7/5dLopnQPporDa6meL4xmJ:fenLo9QP+lmeL4IJ
                                                    MD5:A7C8367F8B900617374F5D3FAC86DFD7
                                                    SHA1:6BDEAB34FA632083B2578708EB0C50443ED5E9A9
                                                    SHA-256:E4F82DB7579D84B2DDB49B16A8CBD8256D86751473D1A86B4B31D1E3963BA0FA
                                                    SHA-512:2C2E9D5445F4BDFBCA7F35881E9D133373145B40D26ECB9B122E60DD343B580FA3BC70C8B981B4AE7E3D9B8C4EA90C6A77F7328A60CBE0F2515EE364AD0CB0A3
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:var __webpack_modules__ = {. 821: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. module = __webpack_require__.nmd(module);. const wrapAnsi16 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${code + offset}m`;. };. const wrapAnsi256 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${38 + offset};5;${code}m`;. };. const wrapAnsi16m = (fn, offset) => (...args) => {. const rgb = fn(...args);. return `.[${38 + offset};2;${rgb[0]};${rgb[1]};${rgb[2]}m`;. };. const ansi2ansi = n => n;. const rgb2rgb = (r, g, b) => [ r, g, b ];. const setLazyProperty = (object, property, get) => {. Object.defineProperty(object, property, {. get: () => {. const value = get();. Object.defineProperty(object, property, {.
                                                    Process:C:\Users\user\Desktop\Jaws.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):218125
                                                    Entropy (8bit):5.457704584855637
                                                    Encrypted:false
                                                    SSDEEP:3072:zKHyW445CPl85X3GJXlAnFhvMvOqGPUqdShdY5S8DoDT1JyBwJbMaky9nwe+L/Iq:LWY4KTvqd8dYQ8uJcwSy9nQ
                                                    MD5:0FEFBA04D8BBEDD2CFF7EB75C3834847
                                                    SHA1:054D11200D77C1B5DFB3B98A33973623619D34BE
                                                    SHA-256:DBBDB23093B0732EE1504F79D3835B1C6B2E3F526AB42A6DA381E6CEC2648AE5
                                                    SHA-512:3CEAA01275E2DEC044BA5F8D41092EB4F28E62CDAD24A71C8F7F57E4C48B709568C8C376BF2B048DC989810FB8EB91F2D944379804D5D85480A26663FC3F90FE
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:{"version":3,"file":"bin/jsii-runtime.js","mappings":";;;;QAEA,MAAMA,aAAa,CAACC,IAAIC,WAAW,IAAIC;YACtC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAUC,OAAOF;AAAS;QAGlC,MAAMG,cAAc,CAACJ,IAAIC,WAAW,IAAIC;YACvC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAU,KAAKD,YAAYE;AAAO;QAG1C,MAAME,cAAc,CAACL,IAAIC,WAAW,IAAIC;YACvC,MAAMI,MAAMN,MAAME;YAClB,OAAO,KAAU,KAAKD,YAAYK,IAAI,MAAMA,IAAI,MAAMA,IAAI;AAAK;QAGhE,MAAMC,YAAYC,KAAKA;QACvB,MAAMC,UAAU,CAACC,GAAGC,GAAGC,MAAM,EAACF,GAAGC,GAAGC;QAEpC,MAAMC,kBAAkB,CAACC,QAAQC,UAAUC;YAC1CC,OAAOC,eAAeJ,QAAQC,UAAU;gBACvCC,KAAK;oBACJ,MAAMG,QAAQH;oBAEdC,OAAOC,eAAeJ,QAAQC,UAAU;wBACvCI;wBACAC,YAAY;wBACZC,cAAc;;oBAGf,OAAOF;AAAK;gBAEbC,YAAY;gBACZC,cAAc;;AACb;QAIH,IAAIC;QACJ,MAAMC,oBAAoB,CAACC,MAAMC,aAAaC,UAAUC;YACvD,IAAIL,iBAAiBM,WAAW;gBAC/BN,eAAe,oBAAQ;AACxB;YAEA,MAAMrB,SAAS0B,eAAe,KAAK;YACnC,MAAME,SAAS,CAAC;YAEhB,KAAK,OAAOC,aAAaC,UAAUd,OAAOe,QAAQV,eAAe;gBAChE,MAAMW,OAAOH,gBAAgB,WAAW,SAASA;gBACjD,IAAIA,gBAAgBL,aAAa;oBAChCI,OAAOI,QAAQT,KAAKE,UAAUzB;AAC/B,uBAAO,WAAW8B,UAAU,UAAU;oBACrCF,OAAOI,Q
                                                    Process:C:\Users\user\Desktop\Jaws.exe
                                                    File Type:ASCII text, with very long lines (489)
                                                    Category:dropped
                                                    Size (bytes):802466
                                                    Entropy (8bit):4.298722687837962
                                                    Encrypted:false
                                                    SSDEEP:6144:Z6TjefxOXTNwk8mCkCbCp4wrZaWvZEIhU4FFEY+cbCtNYbIgoxrV2z1J:Z6TjefxOXTNUkCbCp42aW4NwL
                                                    MD5:4C6E1287B2F6060C1E0F386B0B47959A
                                                    SHA1:0FA0C721B6848D78C73FCF74BB37891A17FF0999
                                                    SHA-256:C8DB5A41C7EC02EB2F1F20A6CD544DB215246AD9D566EA9494D63521B9B1E271
                                                    SHA-512:0FF6A037A413BE93DCB3C1B4C26CB9938025F34D9AA20818FBDED5B4B00BC89DCBA9EB58756BAFBA852CA972C058BDDB087E9CB58C9B442AC936C93590E14C13
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:var __webpack_modules__ = {. 1165: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. const fs = __webpack_require__(9896);. const path = __webpack_require__(6928);. const LCHOWN = fs.lchown ? "lchown" : "chown";. const LCHOWNSYNC = fs.lchownSync ? "lchownSync" : "chownSync";. const needEISDIRHandled = fs.lchown && !process.version.match(/v1[1-9]+\./) && !process.version.match(/v10\.[6-9]/);. const lchownSync = (path, uid, gid) => {. try {. return fs[LCHOWNSYNC](path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const chownSync = (path, uid, gid) => {. try {. return fs.chownSync(path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const handleEISDIR = needEISDIRHandled ? (path, uid, gid, cb) => er => {.
                                                    Process:C:\Users\user\Desktop\Jaws.exe
                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):1155588
                                                    Entropy (8bit):5.4159552687244155
                                                    Encrypted:false
                                                    SSDEEP:12288:D2DUMiOfGYFO/1pf0ThVUhI2PoEMuCfzT/2ZoEC74RiCfulDlJ:MZFO/1pf9hI2EjT/2ZoEC74RiCfulDlJ
                                                    MD5:BE06DF1EE810220598CAE6D42AE2FD77
                                                    SHA1:5DD0B0F101FDE69B49E37947380431D75D26125C
                                                    SHA-256:09E18C6FA27068005DA8BCBB802C70B1C182866274478C684A4AB652ACAF2BBD
                                                    SHA-512:BF40F52E37DFDBEE4AC4F562A28520893D3C8C13FDDB7A94E94458B1E8591162EADF3A4BE401A2FF6C2CE2449721F3F036C2B41571BB3C491E7F648595BAA8FA
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:{"version":3,"file":"lib/program.js","mappings":";;;QACA,MAAMA,KAAK,oBAAQ;QACnB,MAAMC,OAAO,oBAAQ;QAGrB,MAAMC,SAASF,GAAGG,SAAS,WAAW;QAEtC,MAAMC,aAAaJ,GAAGK,aAAa,eAAe;QAGlD,MAAMC,oBAAoBN,GAAGG,WAC1BI,QAAQC,QAAQC,MAAM,kBACtBF,QAAQC,QAAQC,MAAM;QAEzB,MAAMJ,aAAa,CAACJ,MAAMS,KAAKC;YAC7B;gBACE,OAAOX,GAAGI,YAAYH,MAAMS,KAAKC;AACnC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAME,YAAY,CAACb,MAAMS,KAAKC;YAC5B;gBACE,OAAOX,GAAGc,UAAUb,MAAMS,KAAKC;AACjC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAMG,eACJT,oBAAoB,CAACL,MAAMS,KAAKC,KAAKK,OAAOJ;YAI1C,KAAKA,MAAMA,GAAGC,SAAS,UACrBG,GAAGJ,UAEHZ,GAAGiB,MAAMhB,MAAMS,KAAKC,KAAKK;AAAE,YAE7B,CAACE,GAAGC,IAAIC,KAAKJ,OAAOA;QAGxB,MAAMK,mBACJf,oBAAoB,CAACL,MAAMS,KAAKC;YAC9B;gBACE,OAAON,WAAWJ,MAAMS,KAAKC;AAC/B,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;gBACRE,UAAUb,MAAMS,KAAKC;AACvB;AAAA,YAEA,CAACV,MAAMS,KAAKC,QAAQN,WAAWJ,MAAMS,KAAKC;QAG9C,MAAMW,cAAcf,QAAQC;QAC5B,IAAIe,UAAU,CAACtB,MAAMuB,SAASR,OAAOhB,GAAGuB,QAAQtB,MAAMuB,SAASR;Q
                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):6.572472506368371
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Jaws.exe
                                                    File size:24'606'720 bytes
                                                    MD5:82a93f4476efbfee119eb6cec32b0e8d
                                                    SHA1:447aa1e180bd5d26388bbdb699ecae2477d24162
                                                    SHA256:2d42e49addb09860700c9862f7416ee6da56a06d5a8580bede68ae7dac28993a
                                                    SHA512:8e187e5a981a8ff1d973639d3c490458aec01d6d834f1294afa2e0dc3ab1090585343b8b197ae01bde6bd2d4b28517c0f1702660190997f79bc95c1779919f77
                                                    SSDEEP:196608:myzc9QJc6oymFtxRGb+0KCDYIf8Cn3UAoIfM:XcrM8HGbgCD0Cn3sIfM
                                                    TLSH:CE473940FA8B95F1DA034931509F622F23345D059B28DACBFB4DBA19FB37A964D37209
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........Vw...................................h...@..........................P{.......w...@................................
                                                    Icon Hash:2d2e3797b32b2b99
                                                    Entrypoint:0x47bdf0
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:1
                                                    File Version Major:6
                                                    File Version Minor:1
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:1
                                                    Import Hash:1aae8bf580c846f39c71c05898e57e88
                                                    Instruction
                                                    jmp 00007F1F2C7C2470h
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    sub esp, 28h
                                                    mov dword ptr [esp+1Ch], ebx
                                                    mov dword ptr [esp+10h], ebp
                                                    mov dword ptr [esp+14h], esi
                                                    mov dword ptr [esp+18h], edi
                                                    mov dword ptr [esp], eax
                                                    mov dword ptr [esp+04h], ecx
                                                    call 00007F1F2C79CD66h
                                                    mov eax, dword ptr [esp+08h]
                                                    mov edi, dword ptr [esp+18h]
                                                    mov esi, dword ptr [esp+14h]
                                                    mov ebp, dword ptr [esp+10h]
                                                    mov ebx, dword ptr [esp+1Ch]
                                                    add esp, 28h
                                                    retn 0004h
                                                    ret
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    sub esp, 08h
                                                    mov ecx, dword ptr [esp+0Ch]
                                                    mov edx, dword ptr [ecx]
                                                    mov eax, esp
                                                    mov dword ptr [edx+04h], eax
                                                    sub eax, 00010000h
                                                    mov dword ptr [edx], eax
                                                    add eax, 00000BA0h
                                                    mov dword ptr [edx+08h], eax
                                                    mov dword ptr [edx+0Ch], eax
                                                    lea edi, dword ptr [ecx+34h]
                                                    mov dword ptr [edx+18h], ecx
                                                    mov dword ptr [edi], edx
                                                    mov dword ptr [esp+04h], edi
                                                    call 00007F1F2C7C4904h
                                                    cld
                                                    call 00007F1F2C7C395Eh
                                                    call 00007F1F2C7C2599h
                                                    add esp, 08h
                                                    ret
                                                    jmp 00007F1F2C7C47B0h
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    mov ebx, dword ptr [esp+04h]
                                                    mov ebp, esp
                                                    mov dword ptr fs:[00000034h], 00000000h
                                                    mov ecx, dword ptr [ebx+04h]
                                                    cmp ecx, 00000000h
                                                    je 00007F1F2C7C47B1h
                                                    mov eax, ecx
                                                    shl eax, 02h
                                                    sub esp, eax
                                                    mov edi, esp
                                                    mov esi, dword ptr [ebx+08h]
                                                    cld
                                                    rep movsd
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x17300000x44c.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x17b30000x1f54.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x17310000x80fdc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x168afa00xb4.data
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x97f1180x97f200af983ca16b74e0f5891d173e3b552689unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x9810000xd07fb80xd08000468d1d9347169c143d3e0dcfec33eeabunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x16890000xa62200x6ca00aa6ec7b11e1cc6b36addc73d3bf384b1False0.37792856372266975data5.645494557957102IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata0x17300000x44c0x600fe55a28e7d311f89fadf84e2eb906c74False0.3580729166666667OpenPGP Public Key3.8964879594940283IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .reloc0x17310000x80fdc0x81000d6c291a0432736bff20409460438e8b5False0.5456959332606589data6.674834598762316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    .symtab0x17b20000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x17b30000x1f540x2000e428af0060efcf228a7fac6f50fe1622False0.3306884765625data4.667329787524857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x17b31d40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                    RT_ICON0x17b32fc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                    RT_ICON0x17b38640x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                    RT_ICON0x17b3b4c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                    RT_GROUP_ICON0x17b43f40x3edataEnglishUnited States0.8387096774193549
                                                    RT_VERSION0x17b44340x4f4dataEnglishUnited States0.26735015772870663
                                                    RT_MANIFEST0x17b49280x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924
                                                    DLLImport
                                                    kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler
                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 15, 2024 18:16:01.812586069 CEST4976080192.168.2.445.66.248.237
                                                    Oct 15, 2024 18:16:01.817580938 CEST804976045.66.248.237192.168.2.4
                                                    Oct 15, 2024 18:16:01.817724943 CEST4976080192.168.2.445.66.248.237
                                                    Oct 15, 2024 18:16:01.817962885 CEST4976080192.168.2.445.66.248.237
                                                    Oct 15, 2024 18:16:01.822916985 CEST804976045.66.248.237192.168.2.4
                                                    Oct 15, 2024 18:16:10.345334053 CEST804976045.66.248.237192.168.2.4
                                                    Oct 15, 2024 18:16:10.345429897 CEST4976080192.168.2.445.66.248.237
                                                    Oct 15, 2024 18:16:10.345546007 CEST4976080192.168.2.445.66.248.237
                                                    Oct 15, 2024 18:16:10.350455999 CEST804976045.66.248.237192.168.2.4
                                                    • 45.66.248.237
                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.44976045.66.248.237804340C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 15, 2024 18:16:01.817962885 CEST88OUTGET / HTTP/1.1
                                                    Host: 45.66.248.237
                                                    Connection: Keep-Alive
                                                    Cache-Control: no-cache


                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:12:15:40
                                                    Start date:15/10/2024
                                                    Path:C:\Users\user\Desktop\Jaws.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Jaws.exe"
                                                    Imagebase:0xf40000
                                                    File size:24'606'720 bytes
                                                    MD5 hash:82A93F4476EFBFEE119EB6CEC32B0E8D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2306788327.0000000002A8E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2306788327.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2306788327.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:1
                                                    Start time:12:15:51
                                                    Start date:15/10/2024
                                                    Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                    Imagebase:0x950000
                                                    File size:231'736 bytes
                                                    MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2523138286.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2522728061.00000000029F2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2522728061.0000000002A2A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:moderate
                                                    Has exited:true

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:19%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:2%
                                                      Total number of Nodes:1159
                                                      Total number of Limit Nodes:6
                                                      execution_graph 14646 29a3bdb 14649 29a3916 codecvt __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14646->14649 14647 29a3baa 14648 29a38b0 InternetCrackUrlA 14648->14649 14649->14647 14649->14648 14650 29a5190 InternetCrackUrlA 14649->14650 14650->14649 14651 29a83dc 14652 29a83eb 14651->14652 14653 29a83f8 RegEnumKeyExA 14652->14653 14654 29a8485 14652->14654 14653->14654 14655 29a843f RegOpenKeyExA 14653->14655 14655->14654 14657 29a84c1 RegQueryValueExA 14655->14657 14658 29a8601 RegCloseKey 14657->14658 14659 29a84fa 14657->14659 14658->14654 14659->14658 14660 29a856e RegQueryValueExA 14659->14660 14660->14658 14661 29a85a3 14660->14661 14661->14658 13424 2991190 13429 29a78e0 13424->13429 13426 299119e 13428 29911b7 13426->13428 13433 29a7850 13426->13433 13430 29a7916 GetComputerNameA 13429->13430 13432 29a7939 13430->13432 13432->13426 13434 29a7886 GetUserNameA 13433->13434 13436 29a78c3 13434->13436 13436->13428 14662 29a6af3 14664 29a6ab1 14662->14664 14663 29a5b10 41 API calls 14665 29a6b16 14663->14665 14664->14663 13437 29a69f0 13455 2992260 13437->13455 13441 29a6a00 13548 2991160 GetSystemInfo 13441->13548 13447 29a6a21 13448 29a6a26 GetUserDefaultLCID 13447->13448 13449 29a7850 GetUserNameA 13448->13449 13450 29a6a30 13449->13450 13451 29a78e0 GetComputerNameA 13450->13451 13453 29a6a43 13451->13453 13559 29a5b10 13453->13559 13454 29a6b16 13625 29945c0 13455->13625 13457 2992274 13458 29945c0 2 API calls 13457->13458 13459 299228d 13458->13459 13460 29945c0 2 API calls 13459->13460 13461 29922a6 13460->13461 13462 29945c0 2 API calls 13461->13462 13463 29922bf 13462->13463 13464 29945c0 2 API calls 13463->13464 13465 29922d8 13464->13465 13466 29945c0 2 API calls 13465->13466 13467 29922f1 13466->13467 13468 29945c0 2 API calls 13467->13468 13469 299230a 13468->13469 13470 29945c0 2 API calls 13469->13470 13471 2992323 13470->13471 13472 29945c0 2 API calls 13471->13472 13473 299233c 13472->13473 13474 29945c0 2 API calls 13473->13474 13475 2992355 13474->13475 13476 29945c0 2 API calls 13475->13476 13477 299236e 13476->13477 13478 29945c0 2 API calls 13477->13478 13479 2992387 13478->13479 13480 29945c0 2 API calls 13479->13480 13481 29923a0 13480->13481 13482 29945c0 2 API calls 13481->13482 13483 29923b9 13482->13483 13484 29945c0 2 API calls 13483->13484 13485 29923d2 13484->13485 13486 29945c0 2 API calls 13485->13486 13487 29923eb 13486->13487 13488 29945c0 2 API calls 13487->13488 13489 2992404 13488->13489 13490 29945c0 2 API calls 13489->13490 13491 299241d 13490->13491 13492 29945c0 2 API calls 13491->13492 13493 2992436 13492->13493 13494 29945c0 2 API calls 13493->13494 13495 299244f 13494->13495 13496 29945c0 2 API calls 13495->13496 13497 2992468 13496->13497 13498 29945c0 2 API calls 13497->13498 13499 2992481 13498->13499 13500 29945c0 2 API calls 13499->13500 13501 299249a 13500->13501 13502 29945c0 2 API calls 13501->13502 13503 29924b3 13502->13503 13504 29945c0 2 API calls 13503->13504 13505 29924cc 13504->13505 13506 29945c0 2 API calls 13505->13506 13507 29924e5 13506->13507 13508 29945c0 2 API calls 13507->13508 13509 29924fe 13508->13509 13510 29945c0 2 API calls 13509->13510 13511 2992517 13510->13511 13512 29945c0 2 API calls 13511->13512 13513 2992530 13512->13513 13514 29945c0 2 API calls 13513->13514 13515 2992549 13514->13515 13516 29945c0 2 API calls 13515->13516 13517 2992562 13516->13517 13518 29945c0 2 API calls 13517->13518 13519 299257b 13518->13519 13520 29945c0 2 API calls 13519->13520 13521 2992594 13520->13521 13522 29945c0 2 API calls 13521->13522 13523 29925ad 13522->13523 13524 29945c0 2 API calls 13523->13524 13525 29925c6 13524->13525 13526 29945c0 2 API calls 13525->13526 13527 29925df 13526->13527 13528 29945c0 2 API calls 13527->13528 13529 29925f8 13528->13529 13530 29945c0 2 API calls 13529->13530 13531 2992611 13530->13531 13532 29945c0 2 API calls 13531->13532 13533 299262a 13532->13533 13534 29945c0 2 API calls 13533->13534 13535 2992643 13534->13535 13536 29945c0 2 API calls 13535->13536 13537 299265c 13536->13537 13538 29945c0 2 API calls 13537->13538 13539 2992675 13538->13539 13540 29945c0 2 API calls 13539->13540 13541 299268e 13540->13541 13542 29a9860 13541->13542 13630 29a9750 GetPEB 13542->13630 13544 29a9a93 LoadLibraryA LoadLibraryA 13545 29a9ac3 LoadLibraryA 13544->13545 13546 29a9ae6 13545->13546 13546->13441 13547 29a9868 13547->13544 13549 299117c 13548->13549 13550 2991110 13549->13550 13551 2991131 VirtualAllocExNuma 13550->13551 13552 2991141 13551->13552 13631 29910a0 VirtualAlloc 13552->13631 13554 299114e 13555 2991220 13554->13555 13633 29a89b0 13555->13633 13558 2991249 __aulldiv 13558->13447 13560 29a5b1d 13559->13560 13635 29926a0 13560->13635 13564 29a5ca3 14272 29a5510 13564->14272 13566 29a5cc3 14277 29a7500 13566->14277 13568 29a5da7 14281 2994880 13568->14281 13570 29a5dbe 14285 2995960 13570->14285 13572 29a5e03 13573 2995960 InternetCrackUrlA 13572->13573 13574 29a5e4c 13573->13574 13575 2995960 InternetCrackUrlA 13574->13575 13576 29a5e93 13575->13576 14289 29a1a10 13576->14289 13578 29a5eba 14319 2994fb0 13578->14319 13580 29a5edb 14324 29a0740 13580->14324 13582 29a5f60 13583 2995960 InternetCrackUrlA 13582->13583 13584 29a5fa0 13583->13584 14336 2991e80 13584->14336 13586 29a5ff0 13587 29a6092 13586->13587 13588 29a6000 13586->13588 13590 2995960 InternetCrackUrlA 13587->13590 13589 2995960 InternetCrackUrlA 13588->13589 13593 29a603a 13589->13593 13591 29a60bf 13590->13591 14346 29a3560 13591->14346 14342 29a3dc0 13593->14342 13594 29a608a 13597 29a610b 13594->13597 14350 29a40b0 13594->14350 13599 29a6130 13597->13599 14368 29a4780 13597->14368 13602 29a6155 13599->13602 14372 29a4bb0 13599->14372 13600 29a60ec 14364 29a5100 13600->14364 13603 29a617a 13602->13603 14386 29a4d70 13602->14386 13607 29a619f 13603->13607 14394 29a4f40 13603->14394 13605 29a6210 13614 29a62b3 13605->13614 13615 29a6220 13605->13615 13610 29a61c4 13607->13610 14400 2997710 13607->14400 13611 29a61e9 13610->13611 14404 29a5050 13610->14404 13611->13605 14408 29a9010 13611->14408 13616 2995960 InternetCrackUrlA 13614->13616 13617 2995960 InternetCrackUrlA 13615->13617 13618 29a62e0 13616->13618 13620 29a625b 13617->13620 13619 29a3560 InternetCrackUrlA 13618->13619 13622 29a62ab 13619->13622 13621 29a3dc0 InternetCrackUrlA 13620->13621 13621->13622 13623 2995960 InternetCrackUrlA 13622->13623 13624 29a631c 13623->13624 13624->13454 13626 29945d2 RtlAllocateHeap 13625->13626 13629 2994622 VirtualProtect 13626->13629 13629->13457 13630->13547 13632 29910c2 codecvt 13631->13632 13632->13554 13634 2991233 GlobalMemoryStatusEx 13633->13634 13634->13558 13636 29945c0 2 API calls 13635->13636 13637 29926b4 13636->13637 13638 29945c0 2 API calls 13637->13638 13639 29926d7 13638->13639 13640 29945c0 2 API calls 13639->13640 13641 29926f0 13640->13641 13642 29945c0 2 API calls 13641->13642 13643 2992709 13642->13643 13644 29945c0 2 API calls 13643->13644 13645 2992736 13644->13645 13646 29945c0 2 API calls 13645->13646 13647 299274f 13646->13647 13648 29945c0 2 API calls 13647->13648 13649 2992768 13648->13649 13650 29945c0 2 API calls 13649->13650 13651 2992795 13650->13651 13652 29945c0 2 API calls 13651->13652 13653 29927ae 13652->13653 13654 29945c0 2 API calls 13653->13654 13655 29927c7 13654->13655 13656 29945c0 2 API calls 13655->13656 13657 29927e0 13656->13657 13658 29945c0 2 API calls 13657->13658 13659 29927f9 13658->13659 13660 29945c0 2 API calls 13659->13660 13661 2992812 13660->13661 13662 29945c0 2 API calls 13661->13662 13663 299282b 13662->13663 13664 29945c0 2 API calls 13663->13664 13665 2992844 13664->13665 13666 29945c0 2 API calls 13665->13666 13667 299285d 13666->13667 13668 29945c0 2 API calls 13667->13668 13669 2992876 13668->13669 13670 29945c0 2 API calls 13669->13670 13671 299288f 13670->13671 13672 29945c0 2 API calls 13671->13672 13673 29928a8 13672->13673 13674 29945c0 2 API calls 13673->13674 13675 29928c1 13674->13675 13676 29945c0 2 API calls 13675->13676 13677 29928da 13676->13677 13678 29945c0 2 API calls 13677->13678 13679 29928f3 13678->13679 13680 29945c0 2 API calls 13679->13680 13681 299290c 13680->13681 13682 29945c0 2 API calls 13681->13682 13683 2992925 13682->13683 13684 29945c0 2 API calls 13683->13684 13685 299293e 13684->13685 13686 29945c0 2 API calls 13685->13686 13687 2992957 13686->13687 13688 29945c0 2 API calls 13687->13688 13689 2992970 13688->13689 13690 29945c0 2 API calls 13689->13690 13691 2992989 13690->13691 13692 29945c0 2 API calls 13691->13692 13693 29929a2 13692->13693 13694 29945c0 2 API calls 13693->13694 13695 29929bb 13694->13695 13696 29945c0 2 API calls 13695->13696 13697 29929d4 13696->13697 13698 29945c0 2 API calls 13697->13698 13699 29929ed 13698->13699 13700 29945c0 2 API calls 13699->13700 13701 2992a06 13700->13701 13702 29945c0 2 API calls 13701->13702 13703 2992a1f 13702->13703 13704 29945c0 2 API calls 13703->13704 13705 2992a38 13704->13705 13706 29945c0 2 API calls 13705->13706 13707 2992a51 13706->13707 13708 29945c0 2 API calls 13707->13708 13709 2992a6a 13708->13709 13710 29945c0 2 API calls 13709->13710 13711 2992a83 13710->13711 13712 29945c0 2 API calls 13711->13712 13713 2992a9c 13712->13713 13714 29945c0 2 API calls 13713->13714 13715 2992ab5 13714->13715 13716 29945c0 2 API calls 13715->13716 13717 2992ace 13716->13717 13718 29945c0 2 API calls 13717->13718 13719 2992ae7 13718->13719 13720 29945c0 2 API calls 13719->13720 13721 2992b00 13720->13721 13722 29945c0 2 API calls 13721->13722 13723 2992b19 13722->13723 13724 29945c0 2 API calls 13723->13724 13725 2992b32 13724->13725 13726 29945c0 2 API calls 13725->13726 13727 2992b4b 13726->13727 13728 29945c0 2 API calls 13727->13728 13729 2992b64 13728->13729 13730 29945c0 2 API calls 13729->13730 13731 2992b7d 13730->13731 13732 29945c0 2 API calls 13731->13732 13733 2992b96 13732->13733 13734 29945c0 2 API calls 13733->13734 13735 2992baf 13734->13735 13736 29945c0 2 API calls 13735->13736 13737 2992bc8 13736->13737 13738 29945c0 2 API calls 13737->13738 13739 2992be1 13738->13739 13740 29945c0 2 API calls 13739->13740 13741 2992bfa 13740->13741 13742 29945c0 2 API calls 13741->13742 13743 2992c13 13742->13743 13744 29945c0 2 API calls 13743->13744 13745 2992c2c 13744->13745 13746 29945c0 2 API calls 13745->13746 13747 2992c45 13746->13747 13748 29945c0 2 API calls 13747->13748 13749 2992c5e 13748->13749 13750 29945c0 2 API calls 13749->13750 13751 2992c77 13750->13751 13752 29945c0 2 API calls 13751->13752 13753 2992c90 13752->13753 13754 29945c0 2 API calls 13753->13754 13755 2992ca9 13754->13755 13756 29945c0 2 API calls 13755->13756 13757 2992cc2 13756->13757 13758 29945c0 2 API calls 13757->13758 13759 2992cdb 13758->13759 13760 29945c0 2 API calls 13759->13760 13761 2992cf4 13760->13761 13762 29945c0 2 API calls 13761->13762 13763 2992d0d 13762->13763 13764 29945c0 2 API calls 13763->13764 13765 2992d26 13764->13765 13766 29945c0 2 API calls 13765->13766 13767 2992d3f 13766->13767 13768 29945c0 2 API calls 13767->13768 13769 2992d58 13768->13769 13770 29945c0 2 API calls 13769->13770 13771 2992d71 13770->13771 13772 29945c0 2 API calls 13771->13772 13773 2992d8a 13772->13773 13774 29945c0 2 API calls 13773->13774 13775 2992da3 13774->13775 13776 29945c0 2 API calls 13775->13776 13777 2992dbc 13776->13777 13778 29945c0 2 API calls 13777->13778 13779 2992dd5 13778->13779 13780 29945c0 2 API calls 13779->13780 13781 2992dee 13780->13781 13782 29945c0 2 API calls 13781->13782 13783 2992e07 13782->13783 13784 29945c0 2 API calls 13783->13784 13785 2992e20 13784->13785 13786 29945c0 2 API calls 13785->13786 13787 2992e39 13786->13787 13788 29945c0 2 API calls 13787->13788 13789 2992e52 13788->13789 13790 29945c0 2 API calls 13789->13790 13791 2992e6b 13790->13791 13792 29945c0 2 API calls 13791->13792 13793 2992e84 13792->13793 13794 29945c0 2 API calls 13793->13794 13795 2992e9d 13794->13795 13796 29945c0 2 API calls 13795->13796 13797 2992eb6 13796->13797 13798 29945c0 2 API calls 13797->13798 13799 2992ecf 13798->13799 13800 29945c0 2 API calls 13799->13800 13801 2992ee8 13800->13801 13802 29945c0 2 API calls 13801->13802 13803 2992f01 13802->13803 13804 29945c0 2 API calls 13803->13804 13805 2992f1a 13804->13805 13806 29945c0 2 API calls 13805->13806 13807 2992f33 13806->13807 13808 29945c0 2 API calls 13807->13808 13809 2992f4c 13808->13809 13810 29945c0 2 API calls 13809->13810 13811 2992f65 13810->13811 13812 29945c0 2 API calls 13811->13812 13813 2992f7e 13812->13813 13814 29945c0 2 API calls 13813->13814 13815 2992f97 13814->13815 13816 29945c0 2 API calls 13815->13816 13817 2992fb0 13816->13817 13818 29945c0 2 API calls 13817->13818 13819 2992fc9 13818->13819 13820 29945c0 2 API calls 13819->13820 13821 2992fe2 13820->13821 13822 29945c0 2 API calls 13821->13822 13823 2992ffb 13822->13823 13824 29945c0 2 API calls 13823->13824 13825 2993014 13824->13825 13826 29945c0 2 API calls 13825->13826 13827 299302d 13826->13827 13828 29945c0 2 API calls 13827->13828 13829 2993046 13828->13829 13830 29945c0 2 API calls 13829->13830 13831 299305f 13830->13831 13832 29945c0 2 API calls 13831->13832 13833 2993078 13832->13833 13834 29945c0 2 API calls 13833->13834 13835 2993091 13834->13835 13836 29945c0 2 API calls 13835->13836 13837 29930aa 13836->13837 13838 29945c0 2 API calls 13837->13838 13839 29930c3 13838->13839 13840 29945c0 2 API calls 13839->13840 13841 29930dc 13840->13841 13842 29945c0 2 API calls 13841->13842 13843 29930f5 13842->13843 13844 29945c0 2 API calls 13843->13844 13845 299310e 13844->13845 13846 29945c0 2 API calls 13845->13846 13847 2993127 13846->13847 13848 29945c0 2 API calls 13847->13848 13849 2993140 13848->13849 13850 29945c0 2 API calls 13849->13850 13851 2993159 13850->13851 13852 29945c0 2 API calls 13851->13852 13853 2993172 13852->13853 13854 29945c0 2 API calls 13853->13854 13855 299318b 13854->13855 13856 29945c0 2 API calls 13855->13856 13857 29931a4 13856->13857 13858 29945c0 2 API calls 13857->13858 13859 29931bd 13858->13859 13860 29945c0 2 API calls 13859->13860 13861 29931d6 13860->13861 13862 29945c0 2 API calls 13861->13862 13863 29931ef 13862->13863 13864 29945c0 2 API calls 13863->13864 13865 2993208 13864->13865 13866 29945c0 2 API calls 13865->13866 13867 2993221 13866->13867 13868 29945c0 2 API calls 13867->13868 13869 299323a 13868->13869 13870 29945c0 2 API calls 13869->13870 13871 2993253 13870->13871 13872 29945c0 2 API calls 13871->13872 13873 299326c 13872->13873 13874 29945c0 2 API calls 13873->13874 13875 2993285 13874->13875 13876 29945c0 2 API calls 13875->13876 13877 299329e 13876->13877 13878 29945c0 2 API calls 13877->13878 13879 29932b7 13878->13879 13880 29945c0 2 API calls 13879->13880 13881 29932d0 13880->13881 13882 29945c0 2 API calls 13881->13882 13883 29932e9 13882->13883 13884 29945c0 2 API calls 13883->13884 13885 2993302 13884->13885 13886 29945c0 2 API calls 13885->13886 13887 299331b 13886->13887 13888 29945c0 2 API calls 13887->13888 13889 2993334 13888->13889 13890 29945c0 2 API calls 13889->13890 13891 299334d 13890->13891 13892 29945c0 2 API calls 13891->13892 13893 2993366 13892->13893 13894 29945c0 2 API calls 13893->13894 13895 299337f 13894->13895 13896 29945c0 2 API calls 13895->13896 13897 2993398 13896->13897 13898 29945c0 2 API calls 13897->13898 13899 29933b1 13898->13899 13900 29945c0 2 API calls 13899->13900 13901 29933ca 13900->13901 13902 29945c0 2 API calls 13901->13902 13903 29933e3 13902->13903 13904 29945c0 2 API calls 13903->13904 13905 29933fc 13904->13905 13906 29945c0 2 API calls 13905->13906 13907 2993415 13906->13907 13908 29945c0 2 API calls 13907->13908 13909 299342e 13908->13909 13910 29945c0 2 API calls 13909->13910 13911 2993447 13910->13911 13912 29945c0 2 API calls 13911->13912 13913 2993460 13912->13913 13914 29945c0 2 API calls 13913->13914 13915 2993479 13914->13915 13916 29945c0 2 API calls 13915->13916 13917 2993492 13916->13917 13918 29945c0 2 API calls 13917->13918 13919 29934ab 13918->13919 13920 29945c0 2 API calls 13919->13920 13921 29934c4 13920->13921 13922 29945c0 2 API calls 13921->13922 13923 29934dd 13922->13923 13924 29945c0 2 API calls 13923->13924 13925 29934f6 13924->13925 13926 29945c0 2 API calls 13925->13926 13927 299350f 13926->13927 13928 29945c0 2 API calls 13927->13928 13929 2993528 13928->13929 13930 29945c0 2 API calls 13929->13930 13931 2993541 13930->13931 13932 29945c0 2 API calls 13931->13932 13933 299355a 13932->13933 13934 29945c0 2 API calls 13933->13934 13935 2993573 13934->13935 13936 29945c0 2 API calls 13935->13936 13937 299358c 13936->13937 13938 29945c0 2 API calls 13937->13938 13939 29935a5 13938->13939 13940 29945c0 2 API calls 13939->13940 13941 29935be 13940->13941 13942 29945c0 2 API calls 13941->13942 13943 29935d7 13942->13943 13944 29945c0 2 API calls 13943->13944 13945 29935f0 13944->13945 13946 29945c0 2 API calls 13945->13946 13947 2993609 13946->13947 13948 29945c0 2 API calls 13947->13948 13949 2993622 13948->13949 13950 29945c0 2 API calls 13949->13950 13951 299363b 13950->13951 13952 29945c0 2 API calls 13951->13952 13953 2993654 13952->13953 13954 29945c0 2 API calls 13953->13954 13955 299366d 13954->13955 13956 29945c0 2 API calls 13955->13956 13957 2993686 13956->13957 13958 29945c0 2 API calls 13957->13958 13959 299369f 13958->13959 13960 29945c0 2 API calls 13959->13960 13961 29936b8 13960->13961 13962 29945c0 2 API calls 13961->13962 13963 29936d1 13962->13963 13964 29945c0 2 API calls 13963->13964 13965 29936ea 13964->13965 13966 29945c0 2 API calls 13965->13966 13967 2993703 13966->13967 13968 29945c0 2 API calls 13967->13968 13969 299371c 13968->13969 13970 29945c0 2 API calls 13969->13970 13971 2993735 13970->13971 13972 29945c0 2 API calls 13971->13972 13973 299374e 13972->13973 13974 29945c0 2 API calls 13973->13974 13975 2993767 13974->13975 13976 29945c0 2 API calls 13975->13976 13977 2993780 13976->13977 13978 29945c0 2 API calls 13977->13978 13979 2993799 13978->13979 13980 29945c0 2 API calls 13979->13980 13981 29937b2 13980->13981 13982 29945c0 2 API calls 13981->13982 13983 29937cb 13982->13983 13984 29945c0 2 API calls 13983->13984 13985 29937e4 13984->13985 13986 29945c0 2 API calls 13985->13986 13987 29937fd 13986->13987 13988 29945c0 2 API calls 13987->13988 13989 2993816 13988->13989 13990 29945c0 2 API calls 13989->13990 13991 299382f 13990->13991 13992 29945c0 2 API calls 13991->13992 13993 2993848 13992->13993 13994 29945c0 2 API calls 13993->13994 13995 2993861 13994->13995 13996 29945c0 2 API calls 13995->13996 13997 299387a 13996->13997 13998 29945c0 2 API calls 13997->13998 13999 2993893 13998->13999 14000 29945c0 2 API calls 13999->14000 14001 29938ac 14000->14001 14002 29945c0 2 API calls 14001->14002 14003 29938c5 14002->14003 14004 29945c0 2 API calls 14003->14004 14005 29938de 14004->14005 14006 29945c0 2 API calls 14005->14006 14007 29938f7 14006->14007 14008 29945c0 2 API calls 14007->14008 14009 2993910 14008->14009 14010 29945c0 2 API calls 14009->14010 14011 2993929 14010->14011 14012 29945c0 2 API calls 14011->14012 14013 2993942 14012->14013 14014 29945c0 2 API calls 14013->14014 14015 299395b 14014->14015 14016 29945c0 2 API calls 14015->14016 14017 2993974 14016->14017 14018 29945c0 2 API calls 14017->14018 14019 299398d 14018->14019 14020 29945c0 2 API calls 14019->14020 14021 29939a6 14020->14021 14022 29945c0 2 API calls 14021->14022 14023 29939bf 14022->14023 14024 29945c0 2 API calls 14023->14024 14025 29939d8 14024->14025 14026 29945c0 2 API calls 14025->14026 14027 29939f1 14026->14027 14028 29945c0 2 API calls 14027->14028 14029 2993a0a 14028->14029 14030 29945c0 2 API calls 14029->14030 14031 2993a23 14030->14031 14032 29945c0 2 API calls 14031->14032 14033 2993a3c 14032->14033 14034 29945c0 2 API calls 14033->14034 14035 2993a55 14034->14035 14036 29945c0 2 API calls 14035->14036 14037 2993a6e 14036->14037 14038 29945c0 2 API calls 14037->14038 14039 2993a87 14038->14039 14040 29945c0 2 API calls 14039->14040 14041 2993aa0 14040->14041 14042 29945c0 2 API calls 14041->14042 14043 2993ab9 14042->14043 14044 29945c0 2 API calls 14043->14044 14045 2993ad2 14044->14045 14046 29945c0 2 API calls 14045->14046 14047 2993aeb 14046->14047 14048 29945c0 2 API calls 14047->14048 14049 2993b04 14048->14049 14050 29945c0 2 API calls 14049->14050 14051 2993b1d 14050->14051 14052 29945c0 2 API calls 14051->14052 14053 2993b36 14052->14053 14054 29945c0 2 API calls 14053->14054 14055 2993b4f 14054->14055 14056 29945c0 2 API calls 14055->14056 14057 2993b68 14056->14057 14058 29945c0 2 API calls 14057->14058 14059 2993b81 14058->14059 14060 29945c0 2 API calls 14059->14060 14061 2993b9a 14060->14061 14062 29945c0 2 API calls 14061->14062 14063 2993bb3 14062->14063 14064 29945c0 2 API calls 14063->14064 14065 2993bcc 14064->14065 14066 29945c0 2 API calls 14065->14066 14067 2993be5 14066->14067 14068 29945c0 2 API calls 14067->14068 14069 2993bfe 14068->14069 14070 29945c0 2 API calls 14069->14070 14071 2993c17 14070->14071 14072 29945c0 2 API calls 14071->14072 14073 2993c30 14072->14073 14074 29945c0 2 API calls 14073->14074 14075 2993c49 14074->14075 14076 29945c0 2 API calls 14075->14076 14077 2993c62 14076->14077 14078 29945c0 2 API calls 14077->14078 14079 2993c7b 14078->14079 14080 29945c0 2 API calls 14079->14080 14081 2993c94 14080->14081 14082 29945c0 2 API calls 14081->14082 14083 2993cad 14082->14083 14084 29945c0 2 API calls 14083->14084 14085 2993cc6 14084->14085 14086 29945c0 2 API calls 14085->14086 14087 2993cdf 14086->14087 14088 29945c0 2 API calls 14087->14088 14089 2993cf8 14088->14089 14090 29945c0 2 API calls 14089->14090 14091 2993d11 14090->14091 14092 29945c0 2 API calls 14091->14092 14093 2993d2a 14092->14093 14094 29945c0 2 API calls 14093->14094 14095 2993d43 14094->14095 14096 29945c0 2 API calls 14095->14096 14097 2993d5c 14096->14097 14098 29945c0 2 API calls 14097->14098 14099 2993d75 14098->14099 14100 29945c0 2 API calls 14099->14100 14101 2993d8e 14100->14101 14102 29945c0 2 API calls 14101->14102 14103 2993da7 14102->14103 14104 29945c0 2 API calls 14103->14104 14105 2993dc0 14104->14105 14106 29945c0 2 API calls 14105->14106 14107 2993dd9 14106->14107 14108 29945c0 2 API calls 14107->14108 14109 2993df2 14108->14109 14110 29945c0 2 API calls 14109->14110 14111 2993e0b 14110->14111 14112 29945c0 2 API calls 14111->14112 14113 2993e24 14112->14113 14114 29945c0 2 API calls 14113->14114 14115 2993e3d 14114->14115 14116 29945c0 2 API calls 14115->14116 14117 2993e56 14116->14117 14118 29945c0 2 API calls 14117->14118 14119 2993e6f 14118->14119 14120 29945c0 2 API calls 14119->14120 14121 2993e88 14120->14121 14122 29945c0 2 API calls 14121->14122 14123 2993ea1 14122->14123 14124 29945c0 2 API calls 14123->14124 14125 2993eba 14124->14125 14126 29945c0 2 API calls 14125->14126 14127 2993ed3 14126->14127 14128 29945c0 2 API calls 14127->14128 14129 2993eec 14128->14129 14130 29945c0 2 API calls 14129->14130 14131 2993f05 14130->14131 14132 29945c0 2 API calls 14131->14132 14133 2993f1e 14132->14133 14134 29945c0 2 API calls 14133->14134 14135 2993f37 14134->14135 14136 29945c0 2 API calls 14135->14136 14137 2993f50 14136->14137 14138 29945c0 2 API calls 14137->14138 14139 2993f69 14138->14139 14140 29945c0 2 API calls 14139->14140 14141 2993f82 14140->14141 14142 29945c0 2 API calls 14141->14142 14143 2993f9b 14142->14143 14144 29945c0 2 API calls 14143->14144 14145 2993fb4 14144->14145 14146 29945c0 2 API calls 14145->14146 14147 2993fcd 14146->14147 14148 29945c0 2 API calls 14147->14148 14149 2993fe6 14148->14149 14150 29945c0 2 API calls 14149->14150 14151 2993fff 14150->14151 14152 29945c0 2 API calls 14151->14152 14153 2994018 14152->14153 14154 29945c0 2 API calls 14153->14154 14155 2994031 14154->14155 14156 29945c0 2 API calls 14155->14156 14157 299404a 14156->14157 14158 29945c0 2 API calls 14157->14158 14159 2994063 14158->14159 14160 29945c0 2 API calls 14159->14160 14161 299407c 14160->14161 14162 29945c0 2 API calls 14161->14162 14163 2994095 14162->14163 14164 29945c0 2 API calls 14163->14164 14165 29940ae 14164->14165 14166 29945c0 2 API calls 14165->14166 14167 29940c7 14166->14167 14168 29945c0 2 API calls 14167->14168 14169 29940e0 14168->14169 14170 29945c0 2 API calls 14169->14170 14171 29940f9 14170->14171 14172 29945c0 2 API calls 14171->14172 14173 2994112 14172->14173 14174 29945c0 2 API calls 14173->14174 14175 299412b 14174->14175 14176 29945c0 2 API calls 14175->14176 14177 2994144 14176->14177 14178 29945c0 2 API calls 14177->14178 14179 299415d 14178->14179 14180 29945c0 2 API calls 14179->14180 14181 2994176 14180->14181 14182 29945c0 2 API calls 14181->14182 14183 299418f 14182->14183 14184 29945c0 2 API calls 14183->14184 14185 29941a8 14184->14185 14186 29945c0 2 API calls 14185->14186 14187 29941c1 14186->14187 14188 29945c0 2 API calls 14187->14188 14189 29941da 14188->14189 14190 29945c0 2 API calls 14189->14190 14191 29941f3 14190->14191 14192 29945c0 2 API calls 14191->14192 14193 299420c 14192->14193 14194 29945c0 2 API calls 14193->14194 14195 2994225 14194->14195 14196 29945c0 2 API calls 14195->14196 14197 299423e 14196->14197 14198 29945c0 2 API calls 14197->14198 14199 2994257 14198->14199 14200 29945c0 2 API calls 14199->14200 14201 2994270 14200->14201 14202 29945c0 2 API calls 14201->14202 14203 2994289 14202->14203 14204 29945c0 2 API calls 14203->14204 14205 29942a2 14204->14205 14206 29945c0 2 API calls 14205->14206 14207 29942bb 14206->14207 14208 29945c0 2 API calls 14207->14208 14209 29942d4 14208->14209 14210 29945c0 2 API calls 14209->14210 14211 29942ed 14210->14211 14212 29945c0 2 API calls 14211->14212 14213 2994306 14212->14213 14214 29945c0 2 API calls 14213->14214 14215 299431f 14214->14215 14216 29945c0 2 API calls 14215->14216 14217 2994338 14216->14217 14218 29945c0 2 API calls 14217->14218 14219 2994351 14218->14219 14220 29945c0 2 API calls 14219->14220 14221 299436a 14220->14221 14222 29945c0 2 API calls 14221->14222 14223 2994383 14222->14223 14224 29945c0 2 API calls 14223->14224 14225 299439c 14224->14225 14226 29945c0 2 API calls 14225->14226 14227 29943b5 14226->14227 14228 29945c0 2 API calls 14227->14228 14229 29943ce 14228->14229 14230 29945c0 2 API calls 14229->14230 14231 29943e7 14230->14231 14232 29945c0 2 API calls 14231->14232 14233 2994400 14232->14233 14234 29945c0 2 API calls 14233->14234 14235 2994419 14234->14235 14236 29945c0 2 API calls 14235->14236 14237 2994432 14236->14237 14238 29945c0 2 API calls 14237->14238 14239 299444b 14238->14239 14240 29945c0 2 API calls 14239->14240 14241 2994464 14240->14241 14242 29945c0 2 API calls 14241->14242 14243 299447d 14242->14243 14244 29945c0 2 API calls 14243->14244 14245 2994496 14244->14245 14246 29945c0 2 API calls 14245->14246 14247 29944af 14246->14247 14248 29945c0 2 API calls 14247->14248 14249 29944c8 14248->14249 14250 29945c0 2 API calls 14249->14250 14251 29944e1 14250->14251 14252 29945c0 2 API calls 14251->14252 14253 29944fa 14252->14253 14254 29945c0 2 API calls 14253->14254 14255 2994513 14254->14255 14256 29945c0 2 API calls 14255->14256 14257 299452c 14256->14257 14258 29945c0 2 API calls 14257->14258 14259 2994545 14258->14259 14260 29945c0 2 API calls 14259->14260 14261 299455e 14260->14261 14262 29945c0 2 API calls 14261->14262 14263 2994577 14262->14263 14264 29945c0 2 API calls 14263->14264 14265 2994590 14264->14265 14266 29945c0 2 API calls 14265->14266 14267 29945a9 14266->14267 14268 29a9c10 14267->14268 14269 29aa036 8 API calls 14268->14269 14271 29a9c20 14268->14271 14270 29aa0cc 14269->14270 14270->13564 14271->14269 14274 29a5521 14272->14274 14273 29a52c0 InternetCrackUrlA InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA 14273->14274 14274->14273 14275 29a51f0 InternetCrackUrlA InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA 14274->14275 14276 29a57dc 14274->14276 14275->14274 14276->13566 14278 29a7548 GetVolumeInformationA 14277->14278 14280 29a7591 14278->14280 14280->13568 14282 2994899 14281->14282 14412 29947b0 14282->14412 14284 29948a5 codecvt 14284->13570 14286 2995979 14285->14286 14287 29947b0 InternetCrackUrlA 14286->14287 14288 2995985 codecvt 14287->14288 14288->13572 14290 29a1a26 14289->14290 14291 29a7500 GetVolumeInformationA 14290->14291 14292 29a1b96 14291->14292 14416 29a7690 14292->14416 14294 29a1c1e 14295 29a7850 GetUserNameA 14294->14295 14296 29a1d14 14295->14296 14297 29a78e0 GetComputerNameA 14296->14297 14298 29a1d8e 14297->14298 14423 29a7a30 14298->14423 14300 29a1e84 14427 29a7b90 14300->14427 14302 29a1f80 14431 29a9470 14302->14431 14304 29a2091 14435 29a7e00 14304->14435 14306 29a2119 14440 29a7ed0 GetSystemInfo 14306->14440 14308 29a220f 14442 29a8100 14308->14442 14310 29a2289 14446 29a8320 14310->14446 14312 29a24d3 14313 29a8320 6 API calls 14312->14313 14314 29a2568 14313->14314 14459 29a8680 14314->14459 14316 29a2620 14466 29a5190 14316->14466 14318 29a2699 14318->13578 14320 2994fd0 RtlAllocateHeap 14319->14320 14321 2994ff0 14320->14321 14322 2995070 KiUserExceptionDispatcher 14321->14322 14323 29950a0 14321->14323 14322->14321 14323->13580 14325 29a0759 14324->14325 14326 29a0a38 14325->14326 14329 29a077d 14325->14329 14504 29a0250 14326->14504 14328 29a0a4e 14328->13582 14334 29a0843 14329->14334 14484 299fb00 14329->14484 14331 29a0a2d 14331->13582 14332 29a096b 14332->14331 14496 29a0030 14332->14496 14334->14332 14490 299fd60 14334->14490 14340 2991e8f 14336->14340 14337 2991f37 14611 2991310 14337->14611 14339 2991f4d 14339->13586 14340->14337 14607 29916d0 14340->14607 14344 29a3dcf 14342->14344 14343 29a3e18 14343->13594 14344->14343 14615 29a3c90 14344->14615 14349 29a3587 14346->14349 14347 29a36eb 14347->13594 14349->14347 14624 29a2e30 14349->14624 14351 29a40da codecvt 14350->14351 14633 29a3ea0 14351->14633 14353 29a4185 14354 29a3ea0 InternetCrackUrlA 14353->14354 14355 29a41af 14354->14355 14356 29a3ea0 InternetCrackUrlA 14355->14356 14357 29a41d9 14356->14357 14358 29a3ea0 InternetCrackUrlA 14357->14358 14359 29a4203 14358->14359 14360 29a3ea0 InternetCrackUrlA 14359->14360 14361 29a422d 14360->14361 14362 29a3ea0 InternetCrackUrlA 14361->14362 14363 29a4257 codecvt 14362->14363 14363->13600 14365 29a5113 14364->14365 14366 29a5190 InternetCrackUrlA 14365->14366 14367 29a5163 14366->14367 14367->13597 14369 29a479a codecvt 14368->14369 14371 29a48af codecvt 14369->14371 14637 29a4570 14369->14637 14371->13599 14373 29a4bca codecvt 14372->14373 14641 29a4910 14373->14641 14375 29a4c3d 14376 29a4910 InternetCrackUrlA 14375->14376 14377 29a4c72 14376->14377 14378 29a4910 InternetCrackUrlA 14377->14378 14379 29a4ca8 14378->14379 14380 29a4910 InternetCrackUrlA 14379->14380 14381 29a4cdd 14380->14381 14382 29a4910 InternetCrackUrlA 14381->14382 14383 29a4d13 14382->14383 14384 29a4910 InternetCrackUrlA 14383->14384 14385 29a4d48 codecvt 14384->14385 14385->13602 14387 29a4d8d 14386->14387 14388 29a4910 InternetCrackUrlA 14387->14388 14389 29a4dff 14388->14389 14390 29a4910 InternetCrackUrlA 14389->14390 14391 29a4e8b 14390->14391 14392 29a4910 InternetCrackUrlA 14391->14392 14393 29a4f17 14392->14393 14393->13603 14395 29a4f5a codecvt 14394->14395 14396 29a4910 InternetCrackUrlA 14395->14396 14397 29a4ff3 14396->14397 14398 29a4910 InternetCrackUrlA 14397->14398 14399 29a5028 codecvt 14398->14399 14399->13607 14401 299771d codecvt 14400->14401 14402 29a5190 InternetCrackUrlA 14401->14402 14403 2997e77 codecvt 14401->14403 14402->14403 14403->13610 14405 29a506a codecvt 14404->14405 14406 29a4910 InternetCrackUrlA 14405->14406 14407 29a50dd codecvt 14406->14407 14407->13611 14410 29a9027 codecvt 14408->14410 14409 29a904d 14409->13605 14410->14409 14411 29a5190 InternetCrackUrlA 14410->14411 14411->14409 14413 29947c6 14412->14413 14414 2994848 InternetCrackUrlA 14413->14414 14415 2994867 14414->14415 14415->14284 14417 29a76aa 14416->14417 14470 29a77a0 14417->14470 14420 29a76bd 14420->14294 14421 29a76c6 RegOpenKeyExA 14421->14420 14422 29a76e7 RegQueryValueExA 14421->14422 14422->14420 14424 29a7a69 GetTimeZoneInformation 14423->14424 14426 29a7a92 14424->14426 14426->14300 14430 29a7bcc 14427->14430 14428 29a7c46 GetLocaleInfoA 14428->14430 14429 29a7d18 14429->14302 14430->14428 14430->14429 14432 29a948a 14431->14432 14433 29a9493 K32GetModuleFileNameExA 14432->14433 14434 29a94b5 14432->14434 14433->14434 14434->14304 14436 29a7e3d RegOpenKeyExA 14435->14436 14438 29a7e68 RegQueryValueExA 14436->14438 14439 29a7e87 14436->14439 14438->14439 14439->14306 14441 29a7f1c 14440->14441 14441->14308 14443 29a8136 14442->14443 14444 29a814d GlobalMemoryStatusEx 14443->14444 14445 29a8163 __aulldiv 14444->14445 14445->14310 14478 29aa740 14446->14478 14448 29a835c RegOpenKeyExA 14449 29a83d0 14448->14449 14451 29a83ae 14448->14451 14450 29a83f8 RegEnumKeyExA 14449->14450 14449->14451 14450->14451 14452 29a843f RegOpenKeyExA 14450->14452 14451->14312 14452->14451 14454 29a84c1 RegQueryValueExA 14452->14454 14455 29a8601 RegCloseKey 14454->14455 14456 29a84fa 14454->14456 14455->14451 14456->14455 14457 29a856e RegQueryValueExA 14456->14457 14457->14455 14458 29a85a3 14457->14458 14458->14455 14460 29aa740 14459->14460 14461 29a86bc CreateToolhelp32Snapshot Process32First 14460->14461 14462 29a86e8 Process32Next 14461->14462 14463 29a875d CloseHandle 14461->14463 14462->14463 14465 29a86fd 14462->14465 14464 29a8776 14463->14464 14464->14316 14465->14462 14467 29a51b5 14466->14467 14480 2995100 14467->14480 14469 29a51cf 14469->14318 14473 29a7720 14470->14473 14472 29a76b9 14472->14420 14472->14421 14474 29a773a RegOpenKeyExA 14473->14474 14476 29a7765 RegQueryValueExA 14474->14476 14477 29a7780 14474->14477 14476->14477 14477->14472 14479 29aa750 14478->14479 14479->14448 14481 2995119 14480->14481 14482 29947b0 InternetCrackUrlA 14481->14482 14483 2995125 codecvt 14482->14483 14483->14469 14485 299fb16 14484->14485 14508 299be70 14485->14508 14487 299fc9a 14519 299ec30 14487->14519 14489 299fd0c 14489->14334 14491 299fd76 14490->14491 14492 299be70 InternetCrackUrlA 14491->14492 14493 299ff61 14492->14493 14494 299ec30 InternetCrackUrlA 14493->14494 14495 299ffd3 14494->14495 14495->14332 14498 29a0046 14496->14498 14497 29a021e 14497->14331 14498->14497 14547 29a26c0 14498->14547 14500 29a0138 14500->14497 14561 299da80 14500->14561 14502 29a019f 14569 299f6b0 14502->14569 14507 29a0266 14504->14507 14505 29a5190 InternetCrackUrlA 14506 29a06c4 14505->14506 14506->14328 14507->14505 14507->14506 14510 299be86 14508->14510 14509 299bf04 14509->14487 14510->14509 14512 299a790 InternetCrackUrlA 14510->14512 14513 299be70 InternetCrackUrlA 14510->14513 14515 29a5190 InternetCrackUrlA 14510->14515 14523 299a260 14510->14523 14527 299aef0 14510->14527 14531 299b4f0 14510->14531 14535 299ba80 14510->14535 14539 299b230 14510->14539 14512->14510 14513->14510 14515->14510 14522 299ec3f 14519->14522 14520 299ecf9 14520->14489 14522->14520 14543 299e430 14522->14543 14526 299a276 14523->14526 14524 299a6f7 14524->14510 14525 29a5190 InternetCrackUrlA 14525->14524 14526->14524 14526->14525 14530 299af06 14527->14530 14528 29a5190 InternetCrackUrlA 14529 299b1b9 14528->14529 14529->14510 14530->14528 14530->14529 14534 299b506 14531->14534 14532 29a5190 InternetCrackUrlA 14533 299ba11 14532->14533 14533->14510 14534->14532 14534->14533 14537 299ba96 14535->14537 14536 299bdf4 14536->14510 14537->14536 14538 29a5190 InternetCrackUrlA 14537->14538 14538->14536 14540 299b246 14539->14540 14541 29a5190 InternetCrackUrlA 14540->14541 14542 299b47d 14540->14542 14541->14542 14542->14510 14545 299e44d 14543->14545 14544 299e4b1 14544->14522 14545->14544 14546 299de10 InternetCrackUrlA 14545->14546 14546->14545 14548 29a2c1b 14547->14548 14549 29a26d6 14547->14549 14548->14500 14574 29960a0 14549->14574 14551 29a2b61 14552 29960a0 InternetCrackUrlA 14551->14552 14553 29a2b88 14552->14553 14554 29960a0 InternetCrackUrlA 14553->14554 14555 29a2bac 14554->14555 14556 29960a0 InternetCrackUrlA 14555->14556 14557 29a2bd3 14556->14557 14558 29960a0 InternetCrackUrlA 14557->14558 14559 29a2bf7 14558->14559 14560 29960a0 InternetCrackUrlA 14559->14560 14560->14548 14565 299da96 14561->14565 14562 299dafa 14562->14502 14565->14562 14568 299da80 InternetCrackUrlA 14565->14568 14578 299cef0 14565->14578 14582 299d400 14565->14582 14586 299c990 14565->14586 14590 299d780 14565->14590 14568->14565 14572 299f6c6 14569->14572 14570 299f72d 14570->14497 14571 299f6b0 InternetCrackUrlA 14571->14572 14572->14570 14572->14571 14594 299f4a0 14572->14594 14575 29960b9 14574->14575 14576 29947b0 InternetCrackUrlA 14575->14576 14577 29960c5 codecvt 14576->14577 14577->14551 14580 299cf06 14578->14580 14579 299d36f 14579->14565 14580->14579 14581 29a5190 InternetCrackUrlA 14580->14581 14581->14579 14585 299d416 14582->14585 14583 299d6e7 14583->14565 14584 29a5190 InternetCrackUrlA 14584->14583 14585->14583 14585->14584 14589 299c9a4 14586->14589 14587 29a5190 InternetCrackUrlA 14588 299ce7f 14587->14588 14588->14565 14589->14587 14589->14588 14592 299d796 14590->14592 14591 299d9ee 14591->14565 14592->14591 14593 29a5190 InternetCrackUrlA 14592->14593 14593->14591 14596 299f4bf 14594->14596 14595 299f653 14595->14572 14596->14595 14598 299f300 14596->14598 14599 299f313 14598->14599 14601 299f43c 14599->14601 14602 299ed20 14599->14602 14601->14595 14604 299ed31 14602->14604 14603 299ed6a 14603->14601 14604->14603 14605 29a5190 InternetCrackUrlA 14604->14605 14606 299ed20 InternetCrackUrlA 14604->14606 14605->14604 14606->14604 14608 29916e6 codecvt 14607->14608 14609 2991932 14608->14609 14610 29a5190 InternetCrackUrlA 14608->14610 14609->14340 14610->14608 14612 299132d 14611->14612 14613 29a5190 InternetCrackUrlA 14612->14613 14614 29914d2 14612->14614 14613->14614 14614->14339 14616 29a3caa 14615->14616 14618 29a3d32 codecvt 14616->14618 14619 29a38b0 14616->14619 14618->14344 14620 29a38d2 codecvt __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14619->14620 14621 29a3909 14620->14621 14622 29a38b0 InternetCrackUrlA 14620->14622 14623 29a5190 InternetCrackUrlA 14620->14623 14621->14616 14622->14620 14623->14620 14625 29a2e46 14624->14625 14626 29a3398 14625->14626 14628 29a31e5 14625->14628 14629 29a3047 14625->14629 14632 29a315a 14625->14632 14627 29960a0 InternetCrackUrlA 14626->14627 14627->14632 14630 29960a0 InternetCrackUrlA 14628->14630 14631 29960a0 InternetCrackUrlA 14629->14631 14630->14632 14631->14632 14632->14349 14635 29a3ec9 codecvt 14633->14635 14634 29a3eef codecvt 14634->14353 14635->14634 14636 29a5190 InternetCrackUrlA 14635->14636 14636->14635 14639 29a4586 codecvt 14637->14639 14638 29a45d2 codecvt 14638->14371 14639->14638 14640 29a5190 InternetCrackUrlA 14639->14640 14640->14638 14644 29a4932 codecvt 14641->14644 14642 29a4958 14642->14375 14643 29a4910 InternetCrackUrlA 14643->14644 14644->14642 14644->14643 14645 29a5190 InternetCrackUrlA 14644->14645 14645->14644 14666 29a0765 14667 29a076e 14666->14667 14668 29a0a38 14667->14668 14671 29a077d 14667->14671 14669 29a0250 InternetCrackUrlA 14668->14669 14670 29a0a4e 14669->14670 14672 299fb00 InternetCrackUrlA 14671->14672 14676 29a0843 14671->14676 14672->14676 14673 29a0a2d 14674 29a096b 14674->14673 14675 29a0030 InternetCrackUrlA 14674->14675 14675->14673 14676->14674 14677 299fd60 InternetCrackUrlA 14676->14677 14677->14674

                                                      Control-flow Graph

                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,029B05B7), ref: 029A86CA
                                                      • Process32First.KERNEL32(?,00000128), ref: 029A86DE
                                                      • Process32Next.KERNEL32(?,00000128), ref: 029A86F3
                                                      • CloseHandle.KERNELBASE(?), ref: 029A8761
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 420147892-0
                                                      • Opcode ID: 74cc716840213eb5557bca44158812c551f4353f69f1bd2f59d67b78c0cfb178
                                                      • Instruction ID: 3ef5d0fe0d30bbe67df003ef20a5a02e9af21fbe6951262b5e63d7d8a08b0784
                                                      • Opcode Fuzzy Hash: 74cc716840213eb5557bca44158812c551f4353f69f1bd2f59d67b78c0cfb178
                                                      • Instruction Fuzzy Hash: FB316B71941218ABDB64EF54CC64FEEB77DFF85700F0045A9E50AA2190EB306A45CFE0

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 385 29945c0-2994695 RtlAllocateHeap 402 29946a0-29946a6 385->402 403 29946ac-299474a 402->403 404 299474f-29947a9 VirtualProtect 402->404 403->402
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,029A69FB), ref: 0299460E
                                                      • VirtualProtect.KERNELBASE(?,00000004,00000100,00000000), ref: 0299479C
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeapProtectVirtual
                                                      • String ID:
                                                      • API String ID: 1542196881-0
                                                      • Opcode ID: 6de9c28704685f4520f4184605d14eb3efb81c39061ae0d21dee4d70ddaab5af
                                                      • Instruction ID: 51127acffb54adb61a5ea7ba06b85f9b2f3095280ca718c627e93ce727f61858
                                                      • Opcode Fuzzy Hash: 6de9c28704685f4520f4184605d14eb3efb81c39061ae0d21dee4d70ddaab5af
                                                      • Instruction Fuzzy Hash: FB411371ACC314EBF7165FE4E98F9AC7B70AF89702B428864F94399140C6709461DBB1
                                                      APIs
                                                      • GetLocaleInfoA.KERNELBASE(?,00000002,?,00000200), ref: 029A7C62
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: a387e3197a7264913c2541b0f8487c3b1fa208515ac450a468372695922969bc
                                                      • Instruction ID: cc1b31286da8705ed14cbb754abf185621b0052d900134a8663cd526b7486d1e
                                                      • Opcode Fuzzy Hash: a387e3197a7264913c2541b0f8487c3b1fa208515ac450a468372695922969bc
                                                      • Instruction Fuzzy Hash: F8413C71941218ABDB64DB94DCA9BEEB379FF84700F104599E50AA2280DB742F85CFE0
                                                      APIs
                                                      • GetTimeZoneInformation.KERNELBASE(?,?,?,?,00000000,00000000,?,?,00000000,?,029B0E10,00000000,?,00000000,00000000,?), ref: 029A7A7D
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InformationTimeZone
                                                      • String ID:
                                                      • API String ID: 565725191-0
                                                      • Opcode ID: 6c16a686ddfb1554709c4709a48b4fccc46c975675e54f3dff2dafc22d1a7532
                                                      • Instruction ID: 5d2cad9e374f7033411e9b5bc06018d662255c1a05839b0dc63cd3be97e52b5e
                                                      • Opcode Fuzzy Hash: 6c16a686ddfb1554709c4709a48b4fccc46c975675e54f3dff2dafc22d1a7532
                                                      • Instruction Fuzzy Hash: 131182B1D86228EBEB108F54DC59FAAB778FB44711F004799E906932C0D7741A40CF90
                                                      APIs
                                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 029A789F
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: 9fe47fa766a05acffaaa5f234f7bffc7917f54f6c7557627867220b2deb6812d
                                                      • Instruction ID: 44f8d84becd038b072eac9fc8d0fa8e783b7419c48c0deab97b762c558a6472d
                                                      • Opcode Fuzzy Hash: 9fe47fa766a05acffaaa5f234f7bffc7917f54f6c7557627867220b2deb6812d
                                                      • Instruction Fuzzy Hash: 39F04FB1D85208ABD700DF98D95ABAEFBB8EB04751F10065AFA05E3680D7792504CBE1
                                                      APIs
                                                      • GetSystemInfo.KERNELBASE(029B0E2C), ref: 029A7F00
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoSystem
                                                      • String ID:
                                                      • API String ID: 31276548-0
                                                      • Opcode ID: e04717374cf7096c137664faab868183b5c514613dbcbcc29a7e6a4705179f7a
                                                      • Instruction ID: 5ac22489e20d02ed0e7b8619c8e03204288c08139763ceb1a71319a52ecd84ad
                                                      • Opcode Fuzzy Hash: e04717374cf7096c137664faab868183b5c514613dbcbcc29a7e6a4705179f7a
                                                      • Instruction Fuzzy Hash: A5F06DB1A41208EBDB10CF85DC55FEAF7BCFB48A24F000A69F51593680E7756A148BE0

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 29a9c10-29a9c1a 1 29a9c20-29aa031 0->1 2 29aa036-29aa0ca LoadLibraryA * 8 0->2 1->2 3 29aa0cc-29aa141 2->3 4 29aa146-29aa14d 2->4 3->4 6 29aa153-29aa211 4->6 7 29aa216-29aa21d 4->7 6->7 8 29aa298-29aa29f 7->8 9 29aa21f-29aa293 7->9 12 29aa337-29aa33e 8->12 13 29aa2a5-29aa332 8->13 9->8 17 29aa41f-29aa426 12->17 18 29aa344-29aa41a 12->18 13->12 21 29aa428-29aa49d 17->21 22 29aa4a2-29aa4a9 17->22 18->17 21->22 26 29aa4ab-29aa4d7 22->26 27 29aa4dc-29aa4e3 22->27 26->27 31 29aa515-29aa51c 27->31 32 29aa4e5-29aa510 27->32 35 29aa612-29aa619 31->35 36 29aa522-29aa60d 31->36 32->31 46 29aa61b-29aa678 35->46 47 29aa67d-29aa684 35->47 36->35 46->47 49 29aa69e-29aa6a5 47->49 50 29aa686-29aa699 47->50 61 29aa708-29aa709 49->61 62 29aa6a7-29aa703 49->62 50->49 62->61
                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA03D
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA04E
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA060
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA072
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA083
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA095
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA0A7
                                                      • LoadLibraryA.KERNELBASE(?,?,029A5CA3,?,00000034,00000064,029A6600,?,0000002C,00000064,029A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 029AA0B8
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 802b6f7e332ea1eb350529028ea2d44a887f9dd7a3e525cf654d5b73f13d50cf
                                                      • Instruction ID: 405fd0f2d69184578aa68637af02e8cb2de60f951f28480e65aba7c5e575186d
                                                      • Opcode Fuzzy Hash: 802b6f7e332ea1eb350529028ea2d44a887f9dd7a3e525cf654d5b73f13d50cf
                                                      • Instruction Fuzzy Hash: 62624CB5EC2241AFC344DFA8E5B89D63BF9F74C2813148D1AAA09C3244F73AA561CF51

                                                      Control-flow Graph

                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000,029B05B6), ref: 029A83A4
                                                      • RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 029A8426
                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 029A847B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Open$Enum
                                                      • String ID: ?
                                                      • API String ID: 462099255-1684325040
                                                      • Opcode ID: ac5222b44b439bea26c3e082993a72db23ae368141d56ab28abab3dbcf9b3e06
                                                      • Instruction ID: 0570fd75c398f2197212d6446afa3920220427f34379ae76475b7bd5586621fa
                                                      • Opcode Fuzzy Hash: ac5222b44b439bea26c3e082993a72db23ae368141d56ab28abab3dbcf9b3e06
                                                      • Instruction Fuzzy Hash: A7812D71951218ABEB64DB54CCA4FEAB7B9FF48700F008699E10AA7180DF716B85CFD4

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 188 29a7500-29a754a 190 29a754c 188->190 191 29a7553-29a75c7 GetVolumeInformationA call 29a8d00 * 3 188->191 190->191 198 29a75d8-29a75df 191->198 199 29a75fc-29a7617 198->199 200 29a75e1-29a75fa call 29a8d00 198->200 206 29a7628-29a7658 call 29aa740 199->206 207 29a7619-29a7626 call 29aa740 199->207 200->198 211 29a767e-29a768e 206->211 207->211
                                                      APIs
                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 029A757F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InformationVolume
                                                      • String ID: :$C$\
                                                      • API String ID: 2039140958-3809124531
                                                      • Opcode ID: fabbab66815a012d1d0ff2c40ba79e14a283ca66605cb77d202f23af3aa7c310
                                                      • Instruction ID: 3d760448c6d272f5b11ab46e098195a6ce3d6e0f2f6f79908cdf7c54dc326655
                                                      • Opcode Fuzzy Hash: fabbab66815a012d1d0ff2c40ba79e14a283ca66605cb77d202f23af3aa7c310
                                                      • Instruction Fuzzy Hash: 494180B1D41348ABDB10DF94DC65BEEBBB8EF48704F000599E50AA7280E775AA44CFE5

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 214 29a8100-29a8161 call 29a89b0 GlobalMemoryStatusEx 219 29a818d-29a8194 214->219 220 29a8163-29a818b call 29ada00 * 2 214->220 222 29a819b-29a81e3 219->222 220->222
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE(00000040,00000040,00000000), ref: 029A8158
                                                      • __aulldiv.LIBCMT ref: 029A8172
                                                      • __aulldiv.LIBCMT ref: 029A8180
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __aulldiv$GlobalMemoryStatus
                                                      • String ID: @
                                                      • API String ID: 2185283323-2766056989
                                                      • Opcode ID: fba8bf388f57c7aca37ac5de4d28552f1d72794c69f9c1c43d73df80ba0992e1
                                                      • Instruction ID: 2e5c818dcc94e0f2241d81a1e4c57ec84878aca3d5b74502c13cae5796783f04
                                                      • Opcode Fuzzy Hash: fba8bf388f57c7aca37ac5de4d28552f1d72794c69f9c1c43d73df80ba0992e1
                                                      • Instruction Fuzzy Hash: 5721F9B1E44318ABEB00DFD4CC59FAEB7B8FB44B50F104519F605BB280D77969018BA5

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 228 2991220-2991247 call 29a89b0 GlobalMemoryStatusEx 231 2991249-2991271 call 29ada00 * 2 228->231 232 2991273-299127a 228->232 233 2991281-2991285 231->233 232->233 235 299129a-299129d 233->235 236 2991287 233->236 238 2991289-2991290 236->238 239 2991292 236->239 238->235 238->239 239->235
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0299123E
                                                      • __aulldiv.LIBCMT ref: 02991258
                                                      • __aulldiv.LIBCMT ref: 02991266
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __aulldiv$GlobalMemoryStatus
                                                      • String ID: @
                                                      • API String ID: 2185283323-2766056989
                                                      • Opcode ID: 91fbf0ce04d46ffa52cd4618d3f76c70bf4f6f1aee903683770cac1834b99ff8
                                                      • Instruction ID: 62b7e9e7c0660ce378d696d4fb9abefc0c92c7dd353eb1526fa99184e9524b13
                                                      • Opcode Fuzzy Hash: 91fbf0ce04d46ffa52cd4618d3f76c70bf4f6f1aee903683770cac1834b99ff8
                                                      • Instruction Fuzzy Hash: A3016DB0E40309BBEF10EBE4CC59B9EBB78BB44715F208448E70AB62C0D77456418B99

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 029947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 02994849
                                                      • InternetOpenA.WININET(029B0DFE,00000001,00000000,00000000,00000000,029B0DFB), ref: 029962E1
                                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02996335
                                                      • HttpOpenRequestA.WININET(00000000,029B1A28,?,?,00000000,00000000,00400100,00000000), ref: 02996385
                                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 029963D1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$HttpOpenRequest$ConnectCrackSend
                                                      • String ID:
                                                      • API String ID: 612470270-0
                                                      • Opcode ID: 02eab515b4eb4d731faf3f82df8555b88087707d0e30d41a39daaab578b44cee
                                                      • Instruction ID: b6d774df06571270db6e9186a4c1cc181e8bac5c20838d4669559c94a70f19c1
                                                      • Opcode Fuzzy Hash: 02eab515b4eb4d731faf3f82df8555b88087707d0e30d41a39daaab578b44cee
                                                      • Instruction Fuzzy Hash: E4716F71A40318ABEF14DFA4CC68BEE7779BF44700F108558E50AAB1C4DBB56A85CF91

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 325 29a9860-29a9874 call 29a9750 328 29a987a-29a9a8e call 29a9780 325->328 329 29a9a93-29a9af2 LoadLibraryA * 3 325->329 328->329 335 29a9b0d-29a9b14 329->335 336 29a9af4-29a9b08 329->336 337 29a9b46-29a9b4d 335->337 338 29a9b16-29a9b41 335->338 336->335 341 29a9b68-29a9b6f 337->341 342 29a9b4f-29a9b63 337->342 338->337 343 29a9b89-29a9b90 341->343 344 29a9b71-29a9b84 341->344 342->341 348 29a9b92-29a9bbc 343->348 349 29a9bc1-29a9bc2 343->349 344->343 348->349
                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(?,?,029A6A00), ref: 029A9A9A
                                                      • LoadLibraryA.KERNELBASE(?,?,029A6A00), ref: 029A9AAB
                                                      • LoadLibraryA.KERNELBASE(?,?,029A6A00), ref: 029A9ACF
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: b87330d929bee50466bb1752653f2576d8486bdfd69c482d2ddba77feb5db6f9
                                                      • Instruction ID: 502090e998399276f9e7cd591c93c612bd1fde0d30c1c91316e369d5cb4cefcb
                                                      • Opcode Fuzzy Hash: b87330d929bee50466bb1752653f2576d8486bdfd69c482d2ddba77feb5db6f9
                                                      • Instruction Fuzzy Hash: 8EA16EB5EC32419FD344EFA8E5B8AD637F9F74C2817144D1AAA09C3244F73AA561CB90

                                                      Control-flow Graph

                                                      APIs
                                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 02994849
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CrackInternet
                                                      • String ID: <
                                                      • API String ID: 1381609488-4251816714
                                                      • Opcode ID: 804a31713cd55c7b0fd088c397a8dd712eee4793f8834227e94b31f7ddbce776
                                                      • Instruction ID: 36c3f681e1a6168f0ad96e0576ef1a960636fec15c7e9607cfeb186835d10ba8
                                                      • Opcode Fuzzy Hash: 804a31713cd55c7b0fd088c397a8dd712eee4793f8834227e94b31f7ddbce776
                                                      • Instruction Fuzzy Hash: 99213BB1D00219ABDF14DFA4E859BED7B75FF44320F108225E966A7280EB706A15CFD1

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 422 2994fb0-299501a RtlAllocateHeap call 29aaad0 428 2995021-2995028 422->428 429 299502a-2995051 428->429 430 29950a0-29950fb call 29aa800 428->430 433 2995062-299506e 429->433 434 299509e 433->434 435 2995070-299509c KiUserExceptionDispatcher 433->435 434->428 437 2995053-299505c 435->437 437->433
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02994FD1
                                                      • KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 0299508A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateDispatcherExceptionHeapUser
                                                      • String ID:
                                                      • API String ID: 3515689010-0
                                                      • Opcode ID: f5abc1ab1f2bc569083cc32539cf96db5ecc5b3210252d9825b6d40903fd58b0
                                                      • Instruction ID: 341b8a831775629ea2ca920d2c61e1474f1694467b37d2926c5e937ce3496c22
                                                      • Opcode Fuzzy Hash: f5abc1ab1f2bc569083cc32539cf96db5ecc5b3210252d9825b6d40903fd58b0
                                                      • Instruction Fuzzy Hash: B431F3B4E40218ABDB20CF54DC95BDDB7B4EB48704F5085D9EA09A7280DB706AD5CF98

                                                      Control-flow Graph

                                                      APIs
                                                      • RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 029A8426
                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 029A847B
                                                      • RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400), ref: 029A84EC
                                                      • RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,029B0B34), ref: 029A8599
                                                      • RegCloseKey.KERNELBASE(00000000), ref: 029A8608
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: QueryValue$CloseEnumOpen
                                                      • String ID:
                                                      • API String ID: 2041898428-0
                                                      • Opcode ID: c28c4e2f5ee87049655f7349e117df43133df794f97366d29991e4c4ea687873
                                                      • Instruction ID: 15f3b225c77f642b427dc9614df1371fe055da3174e11c0cc1af1be735175090
                                                      • Opcode Fuzzy Hash: c28c4e2f5ee87049655f7349e117df43133df794f97366d29991e4c4ea687873
                                                      • Instruction Fuzzy Hash: E62119B1951228ABEB24DB54DCA5FE9B3B8FB48700F00C5D8E609A7180DF716A85CFD4

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 489 29a7e00-29a7e66 RegOpenKeyExA 492 29a7e68-29a7e85 RegQueryValueExA 489->492 493 29a7e87-29a7e8c 489->493 494 29a7e8e-29a7e9b 492->494 495 29a7eb6-29a7ec6 493->495 494->495
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?), ref: 029A7E5E
                                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,000000FF,000000FF), ref: 029A7E7F
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: OpenQueryValue
                                                      • String ID:
                                                      • API String ID: 4153817207-0
                                                      • Opcode ID: 27023bc099717e44f503b71cfe3867b8e2e23d810200978e5e0900e8e6a134d0
                                                      • Instruction ID: 685ffd214e2014678366c8f94fdf0840ade1d542382be30cf6c0633e2c0e706a
                                                      • Opcode Fuzzy Hash: 27023bc099717e44f503b71cfe3867b8e2e23d810200978e5e0900e8e6a134d0
                                                      • Instruction Fuzzy Hash: 52113AB1A80205ABD700DBD4D96AFEFBBB8EB44B50F104919FA05E7280E77569108BE0

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 497 29a7690-29a76bb call 29a77a0 502 29a76bd-29a76c2 497->502 503 29a76c6-29a76e5 RegOpenKeyExA 497->503 504 29a7711-29a7714 502->504 505 29a76e7-29a76fe RegQueryValueExA 503->505 506 29a7704-29a770e 503->506 505->506 506->504
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,00000000), ref: 029A76DD
                                                      • RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,000000FF), ref: 029A76FE
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: OpenQueryValue
                                                      • String ID:
                                                      • API String ID: 4153817207-0
                                                      • Opcode ID: 10c3b3c89b9357d35d7a0f9202f52f2c7db928abdcd13380eafacaf5883ad473
                                                      • Instruction ID: 26d1d0a0941ccaa5eeb8c9aa3fc24002b31335b9b3e7bfbc0cbae70c1f244ab6
                                                      • Opcode Fuzzy Hash: 10c3b3c89b9357d35d7a0f9202f52f2c7db928abdcd13380eafacaf5883ad473
                                                      • Instruction Fuzzy Hash: B601FFB5E81304BBDB00DBE4D96AFEEB7BCEB48741F104854FE05D7280E675A9148B90

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 508 29a7720-29a7763 RegOpenKeyExA 511 29a7780-29a779f call 29a8940 508->511 512 29a7765-29a777a RegQueryValueExA 508->512 512->511
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,029A76B9), ref: 029A775B
                                                      • RegQueryValueExA.KERNELBASE(029A76B9,029B0AAC,00000000,00000000,?,000000FF), ref: 029A777A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: OpenQueryValue
                                                      • String ID:
                                                      • API String ID: 4153817207-0
                                                      • Opcode ID: 0c7cc63df25698adb8b64ab818339782a482df3d7f65583547c4e0fd245c3831
                                                      • Instruction ID: 418d47ee0ba34a4a05cb01a4fc59799d594031c865eca0f519a1fa42cb5e0074
                                                      • Opcode Fuzzy Hash: 0c7cc63df25698adb8b64ab818339782a482df3d7f65583547c4e0fd245c3831
                                                      • Instruction Fuzzy Hash: 8E01F4B5E80308BBE700DBE4DC59FEEB7B8EB44741F104555FA05E7281E67165508B91
                                                      APIs
                                                        • Part of subcall function 02991160: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,029A6A17,029B0AEF), ref: 0299116A
                                                        • Part of subcall function 02991110: VirtualAllocExNuma.KERNELBASE(00000000,?,?,029A6A1C), ref: 02991132
                                                        • Part of subcall function 02991220: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0299123E
                                                        • Part of subcall function 02991220: __aulldiv.LIBCMT ref: 02991258
                                                        • Part of subcall function 02991220: __aulldiv.LIBCMT ref: 02991266
                                                      • GetUserDefaultLCID.KERNELBASE ref: 029A6A26
                                                        • Part of subcall function 029A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 029A789F
                                                        • Part of subcall function 029A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 029A792F
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
                                                      • String ID:
                                                      • API String ID: 3178950686-0
                                                      • Opcode ID: 6a33b913cea02474a943d5226bd82c68f7ee6ae4d69904c20a44fc4cf7028201
                                                      • Instruction ID: 3747a8572fe104a6b8454ebf07fa50f5c84c55da1324c40ad9e89f905dbf1867
                                                      • Opcode Fuzzy Hash: 6a33b913cea02474a943d5226bd82c68f7ee6ae4d69904c20a44fc4cf7028201
                                                      • Instruction Fuzzy Hash: FE31E771D41309ABDB44FBE4D875BEE777ABF84340F104928E512A6190EF706A05CEE5
                                                      APIs
                                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 029A792F
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ComputerName
                                                      • String ID:
                                                      • API String ID: 3545744682-0
                                                      • Opcode ID: 959d34442b7ba763576553b7f3bee90a0b879000db8c09b79797e6d53322a906
                                                      • Instruction ID: 8dff9e780922a130b2de523092d8904952bf6a3fbe6474eebc7bb3282c6532e7
                                                      • Opcode Fuzzy Hash: 959d34442b7ba763576553b7f3bee90a0b879000db8c09b79797e6d53322a906
                                                      • Instruction Fuzzy Hash: 580162B1945304EBD710DF94D955BEEFBB8FB44B51F10461AE945E3280D37555008BE1
                                                      APIs
                                                      • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 029A94A5
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileModuleName
                                                      • String ID:
                                                      • API String ID: 514040917-0
                                                      • Opcode ID: 810baead1ac2c081a0cd93ffadece811934ffd2ae684178a511e28818efd3392
                                                      • Instruction ID: 171a8069732953a5e32376b4b7e214475460d5753e5c7eb9596301302b09d84b
                                                      • Opcode Fuzzy Hash: 810baead1ac2c081a0cd93ffadece811934ffd2ae684178a511e28818efd3392
                                                      • Instruction Fuzzy Hash: 9CF05E74D4020CFBDB04DFA4D86AFEE77B8EB08700F004498BA0997280E6B16A85CB90
                                                      APIs
                                                      • VirtualAllocExNuma.KERNELBASE(00000000,?,?,029A6A1C), ref: 02991132
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocNumaVirtual
                                                      • String ID:
                                                      • API String ID: 4233825816-0
                                                      • Opcode ID: 01ad4d2f8673ec6cd9d2693c06475b5e39dae6ee8a891092b484482c8c433f2c
                                                      • Instruction ID: a422567b20e29f12d814fe83c5986133cfb2862d3d46305017ef62598061e0f4
                                                      • Opcode Fuzzy Hash: 01ad4d2f8673ec6cd9d2693c06475b5e39dae6ee8a891092b484482c8c433f2c
                                                      • Instruction Fuzzy Hash: 4BE0E670DC6348FFEB106BA59C1EB497678AB04B51F104554F60DB71C0D6B526109A99
                                                      APIs
                                                      • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,029A6A17,029B0AEF), ref: 0299116A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoSystem
                                                      • String ID:
                                                      • API String ID: 31276548-0
                                                      • Opcode ID: 977a070ff14e6772a7b8abc73e2b9f96bedb41b13d9bc4fda5071eb1337e3ca0
                                                      • Instruction ID: 0b64e4be14b0ea50f4d2ed35d14455cc254ced8f20a748ab4ece18f100204814
                                                      • Opcode Fuzzy Hash: 977a070ff14e6772a7b8abc73e2b9f96bedb41b13d9bc4fda5071eb1337e3ca0
                                                      • Instruction Fuzzy Hash: 94D05E74D4130DDBCB00DFE0D8596DDBB78FB08222F001995D805A3340EA306491CAA5
                                                      APIs
                                                      • VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0299114E,?,?,029A6A1C), ref: 029910B3
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: bd5dcf0307fb3ea202f594ab0a4bae552d401b0a8b1f0c36d949a71682dd0be4
                                                      • Instruction ID: a03da29c124f4b59841625f597925f40c6b51107b019373e26b4130840e6776d
                                                      • Opcode Fuzzy Hash: bd5dcf0307fb3ea202f594ab0a4bae552d401b0a8b1f0c36d949a71682dd0be4
                                                      • Instruction Fuzzy Hash: 40F08971A81314BBEB149AA89C69FEEB7DCE705B55F301844F504E7280D5725E00DA94
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                                      APIs
                                                      • __getptd.LIBCMT ref: 029AC74E
                                                        • Part of subcall function 029ABF9F: __getptd_noexit.LIBCMT ref: 029ABFA2
                                                        • Part of subcall function 029ABF9F: __amsg_exit.LIBCMT ref: 029ABFAF
                                                      • __getptd.LIBCMT ref: 029AC765
                                                      • __amsg_exit.LIBCMT ref: 029AC773
                                                      • __lock.LIBCMT ref: 029AC783
                                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 029AC797
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2522681012.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2990000_BitLockerToGo.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                      • String ID:
                                                      • API String ID: 938513278-0
                                                      • Opcode ID: 09131afdb98b8610bc8f3c3cd2095ec2c837a3272dca6ad7a399e26404e178ff
                                                      • Instruction ID: 27b60770a6ceb14471e4998ea5916be6e1378e712959aca190378ca6fba4cd00
                                                      • Opcode Fuzzy Hash: 09131afdb98b8610bc8f3c3cd2095ec2c837a3272dca6ad7a399e26404e178ff
                                                      • Instruction Fuzzy Hash: 5BF0BE32D447109FE722BBB89875B9D33E26F80728F24455AE408AE2C0DB645980CFD6