Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9FvJxhtNOD.exe

Overview

General Information

Sample name:9FvJxhtNOD.exe
renamed because original name is a hash value
Original sample name:a613b8807e9e08a47a81c3b1e38a31f4.exe
Analysis ID:1541958
MD5:a613b8807e9e08a47a81c3b1e38a31f4
SHA1:bd79889bc1ce02b5a16124184c7287e74aff1b80
SHA256:3087108fae20b7a43c9a4479af8ece396217207e6de92e735d4edfe86671b067
Tags:32exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 9FvJxhtNOD.exe (PID: 5688 cmdline: "C:\Users\user\Desktop\9FvJxhtNOD.exe" MD5: A613B8807E9E08A47A81C3B1E38A31F4)
    • BitLockerToGo.exe (PID: 5328 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deepymouthi.sbs", "sidercotay.sbs", "captaitwik.sbs", "heroicmint.sbs", "wrigglesight.sbs", "ferrycheatyk.sbs", "monstourtu.sbs", "snailyeductyi.sbs"], "Build id": "7uZzAf--install"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2317240460.000000000A2DC000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000003.2290697245.000000000A5AC000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000002.2317711192.000000000A5AC000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.581286+020020567501Domain Observed Used for C2 Detected192.168.2.6535941.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.516258+020020567521Domain Observed Used for C2 Detected192.168.2.6548221.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.607717+020020567541Domain Observed Used for C2 Detected192.168.2.6620101.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.557227+020020567561Domain Observed Used for C2 Detected192.168.2.6611971.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.536230+020020567601Domain Observed Used for C2 Detected192.168.2.6571811.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.569379+020020567621Domain Observed Used for C2 Detected192.168.2.6512771.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.620501+020020567641Domain Observed Used for C2 Detected192.168.2.6497961.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:25.592113+020020567661Domain Observed Used for C2 Detected192.168.2.6644621.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-25T11:17:27.100788+020028586661Domain Observed Used for C2 Detected192.168.2.649766104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 0.2.9FvJxhtNOD.exe.a3ac000.2.unpackMalware Configuration Extractor: LummaC {"C2 url": ["deepymouthi.sbs", "sidercotay.sbs", "captaitwik.sbs", "heroicmint.sbs", "wrigglesight.sbs", "ferrycheatyk.sbs", "monstourtu.sbs", "snailyeductyi.sbs"], "Build id": "7uZzAf--install"}
    Multi AV Scanner detection for submitted file
    Source: 9FvJxhtNOD.exeReversingLabs: Detection: 47%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: snailyeductyi.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: ferrycheatyk.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: deepymouthi.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: wrigglesight.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: captaitwik.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: sidercotay.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: heroicmint.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: monstourtu.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: deepymouthi.sbs
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.2315973740.000000000A11E000.00000004.00001000.00020000.00000000.sdmpString decryptor: 7uZzAf--install
    Source: 9FvJxhtNOD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49766 version: TLS 1.2
    Source: 9FvJxhtNOD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: 9FvJxhtNOD.exe, 00000000.00000002.2317240460.000000000A256000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: 9FvJxhtNOD.exe, 00000000.00000002.2317240460.000000000A256000.00000004.00001000.00020000.00000000.sdmp
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-7Bh]2_2_00443185
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi2_2_00442795
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_0040FA60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_0041E04E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [eax+ebx], 30303030h2_2_00401000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [eax+ebx], 20202020h2_2_00401000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 50DC24C7h2_2_00446020
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esi+ecx]2_2_00421030
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00421030
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edx], al2_2_00431080
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al2_2_00431080
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+034236DEh]2_2_0042D08F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp dword ptr [0044ED20h]2_2_0042F0A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [eax+esi+02h], 0000h2_2_0042E10F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_004221C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 9ABDB589h2_2_004221C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ecx+edi*8], AE6E2B0Bh2_2_004221C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], ax2_2_004431FF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movsx ebx, byte ptr [eax+edx]2_2_00445200
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax+ebx], 00000030h2_2_004012D5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]2_2_00441290
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movsx ebx, byte ptr [eax+edx]2_2_00445350
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax2_2_0043D466
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_0042F470
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_00445420
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movsx ebx, byte ptr [eax+edx]2_2_00445420
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea ebx, dword ptr [ecx+00000080h]2_2_0041F4FE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-0000009Eh]2_2_00428480
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esi+ecx+2E92E42Ch]2_2_0043D51B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ebp+ecx+034EAC23h]2_2_0043D51B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], cx2_2_004116D4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp al, 5Ch2_2_00406730
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, bx2_2_004287A9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_00426800
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 33079CCDh2_2_00446880
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], B282C971h2_2_004278B9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+2EAF8980h]2_2_00421950
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], cx2_2_00421950
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_0043A930
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp+00000080h]2_2_0042CA46
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_0042FA50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+74A6717Ch]2_2_00426A60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00426A60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_0041EA04
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx-0082D46Ch]2_2_00424A20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ebp+ecx+034EAC23h]2_2_0043DA20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+0000008Fh]2_2_0041FAC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al2_2_0041FAC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax2_2_0041FAC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp+04h]2_2_0041FAC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [ebp-24h]2_2_00427B77
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [eax+esi+02h], 0000h2_2_0042DB00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-5A9A692Eh]2_2_0040DCE0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]2_2_00404C80
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [edi+eax+3F785C7Ch]2_2_00427C8A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]2_2_00405CB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+18h]2_2_0042BD10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [edi+eax]2_2_00443D80
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebp+00h], 0000h2_2_0042AED0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h2_2_0041DF42
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, word ptr [esi]2_2_0043DFF4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp edx2_2_0043DFF4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 0CD14D4Eh2_2_0041EF92

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056760 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (monstourtu .sbs) : 192.168.2.6:57181 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056752 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deepymouthi .sbs) : 192.168.2.6:54822 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056764 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snailyeductyi .sbs) : 192.168.2.6:49796 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056766 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrigglesight .sbs) : 192.168.2.6:64462 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056754 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferrycheatyk .sbs) : 192.168.2.6:62010 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056756 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (heroicmint .sbs) : 192.168.2.6:61197 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056762 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sidercotay .sbs) : 192.168.2.6:51277 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056750 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captaitwik .sbs) : 192.168.2.6:53594 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49766 -> 104.102.49.254:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: deepymouthi.sbs
    Source: Malware configuration extractorURLs: sidercotay.sbs
    Source: Malware configuration extractorURLs: captaitwik.sbs
    Source: Malware configuration extractorURLs: heroicmint.sbs
    Source: Malware configuration extractorURLs: wrigglesight.sbs
    Source: Malware configuration extractorURLs: ferrycheatyk.sbs
    Source: Malware configuration extractorURLs: monstourtu.sbs
    Source: Malware configuration extractorURLs: snailyeductyi.sbs
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: BitLockerToGo.exe, 00000002.00000002.2330623196.00000000032D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C42cb6563c5fec8103907e3e99aebe27b; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=65d75f5af747cc5d9ef6dab2; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 25 Oct 2024 09:17:26 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: deepymouthi.sbs
    Source: global trafficDNS traffic detected: DNS query: monstourtu.sbs
    Source: global trafficDNS traffic detected: DNS query: heroicmint.sbs
    Source: global trafficDNS traffic detected: DNS query: sidercotay.sbs
    Source: global trafficDNS traffic detected: DNS query: captaitwik.sbs
    Source: global trafficDNS traffic detected: DNS query: wrigglesight.sbs
    Source: global trafficDNS traffic detected: DNS query: ferrycheatyk.sbs
    Source: global trafficDNS traffic detected: DNS query: snailyeductyi.sbs
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032A2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferrycheatyk.sbs/api&
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: 9FvJxhtNOD.exeString found in binary or memory: https://login.microsoftonline.com/expected
    Source: 9FvJxhtNOD.exeString found in binary or memory: https://login.microsoftonline.us/tls:
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032A2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/v
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2329702934.00000000032D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330623196.00000000032D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C42cb6563c5fec81
    Source: BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329540124.0000000003287000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49766 version: TLS 1.2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00438370 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00438370
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00438370 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00438370
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00438560 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,2_2_00438560

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000002.2317240460.000000000A2DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: 00000000.00000003.2290697245.000000000A5AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: 00000000.00000002.2317711192.000000000A5AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F3E02_2_0040F3E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040E4522_2_0040E452
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040FA602_2_0040FA60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041E04E2_2_0041E04E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040B0602_2_0040B060
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004400702_2_00440070
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004010002_2_00401000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040C0002_2_0040C000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004210302_2_00421030
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004450302_2_00445030
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D0EA2_2_0042D0EA
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004310802_2_00431080
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041D0902_2_0041D090
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004301502_2_00430150
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004441002_2_00444100
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004381202_2_00438120
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004221C02_2_004221C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004181AC2_2_004181AC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004351B32_2_004351B3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004452002_2_00445200
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004012D52_2_004012D5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041328F2_2_0041328F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043C2962_2_0043C296
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004453502_2_00445350
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004103702_2_00410370
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004463202_2_00446320
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004013282_2_00401328
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004473D02_2_004473D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004073E02_2_004073E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042A39D2_2_0042A39D
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004054502_2_00405450
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A4502_2_0040A450
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004454202_2_00445420
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004324C02_2_004324C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004234E02_2_004234E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040B4F02_2_0040B4F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041F4FE2_2_0041F4FE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004324902_2_00432490
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004415502_2_00441550
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043D51B2_2_0043D51B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D5EC2_2_0042D5EC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004445F02_2_004445F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041959B2_2_0041959B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043C6502_2_0043C650
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041D63C2_2_0041D63C
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004116D42_2_004116D4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004436D82_2_004436D8
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004166F92_2_004166F9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004087B02_2_004087B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042B8702_2_0042B870
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042887E2_2_0042887E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004038E02_2_004038E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004468802_2_00446880
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043C8B02_2_0043C8B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004278B92_2_004278B9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040D9202_2_0040D920
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A9C02_2_0040A9C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004349EB2_2_004349EB
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042FA502_2_0042FA50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00440A102_2_00440A10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DA202_2_0043DA20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00410A252_2_00410A25
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041FAC02_2_0041FAC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042EAC62_2_0042EAC6
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00422A902_2_00422A90
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042CB672_2_0042CB67
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042DB002_2_0042DB00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043FB102_2_0043FB10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00409BDF2_2_00409BDF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00431C492_2_00431C49
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00446C302_2_00446C30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040DCE02_2_0040DCE0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043BCB72_2_0043BCB7
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042BD102_2_0042BD10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00434D1D2_2_00434D1D
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00422DC02_2_00422DC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00409DC32_2_00409DC3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00407DE02_2_00407DE0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00433E192_2_00433E19
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00415E312_2_00415E31
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040CE302_2_0040CE30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00409CE02_2_00409CE0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042AED02_2_0042AED0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042BEF12_2_0042BEF1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040EE902_2_0040EE90
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043CF502_2_0043CF50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00427F022_2_00427F02
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00446FC02_2_00446FC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DFF42_2_0043DFF4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041EF922_2_0041EF92
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042DFB22_2_0042DFB2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040CB30 appears 62 times
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0041CBE0 appears 184 times
    Source: 9FvJxhtNOD.exe, 00000000.00000000.2187791309.0000000001959000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs 9FvJxhtNOD.exe
    Source: 9FvJxhtNOD.exe, 00000000.00000002.2317240460.000000000A256000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 9FvJxhtNOD.exe
    Source: 9FvJxhtNOD.exeBinary or memory string: OriginalFileName vs 9FvJxhtNOD.exe
    Source: 9FvJxhtNOD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.2317240460.000000000A2DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: 00000000.00000003.2290697245.000000000A5AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: 00000000.00000002.2317711192.000000000A5AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@9/1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043D2E0 CoCreateInstance,2_2_0043D2E0
    Source: 9FvJxhtNOD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 9FvJxhtNOD.exeReversingLabs: Detection: 47%
    Source: BitLockerToGo.exeString found in binary or memory: 7uZzAf--install
    Source: 9FvJxhtNOD.exeString found in binary or memory: net/addrselect.go
    Source: 9FvJxhtNOD.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeFile read: C:\Users\user\Desktop\9FvJxhtNOD.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\9FvJxhtNOD.exe "C:\Users\user\Desktop\9FvJxhtNOD.exe"
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
    Source: 9FvJxhtNOD.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: 9FvJxhtNOD.exeStatic file information: File size 10662912 > 1048576
    Source: 9FvJxhtNOD.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4cc800
    Source: 9FvJxhtNOD.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x4c3400
    Source: 9FvJxhtNOD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: 9FvJxhtNOD.exe, 00000000.00000002.2317240460.000000000A256000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: 9FvJxhtNOD.exe, 00000000.00000002.2317240460.000000000A256000.00000004.00001000.00020000.00000000.sdmp
    Source: 9FvJxhtNOD.exeStatic PE information: section name: .symtab
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5036Thread sleep time: -30000s >= -30000sJump to behavior
    Source: BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
    Source: 9FvJxhtNOD.exe, 00000000.00000002.2313979045.0000000000B12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004427E0 LdrInitializeThunk,2_2_004427E0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: snailyeductyi.sbs
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ferrycheatyk.sbs
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: deepymouthi.sbs
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wrigglesight.sbs
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: captaitwik.sbs
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sidercotay.sbs
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: heroicmint.sbs
    Source: 9FvJxhtNOD.exe, 00000000.00000003.2290697245.000000000A402000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: monstourtu.sbs
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2EE5008Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44B000Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45B000Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeQueries volume information: C:\Users\user\Desktop\9FvJxhtNOD.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\9FvJxhtNOD.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		311
    Process Injection    		1
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Screen Capture    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		311
    Process Injection    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager12
    System Information Discovery    		SMB/Windows Admin Shares2
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    9FvJxhtNOD.exe47%ReversingLabsWin32.Spyware.Lummastealer

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://player.vimeo.com0%URL Reputationsafe
    https://help.steampowered.com/en/0%URL Reputationsafe
    https://store.steampowered.com/news/0%URL Reputationsafe
    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://recaptcha.net/recaptcha/;0%URL Reputationsafe
    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
    https://store.steampowered.com/stats/0%URL Reputationsafe
    https://medal.tv0%URL Reputationsafe
    https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
    https://login.steampowered.com/0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://steam.tv/0%URL Reputationsafe
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://store.steampowered.com/points/shop/0%URL Reputationsafe
    https://recaptcha.net0%URL Reputationsafe
    https://store.steampowered.com/0%URL Reputationsafe
    https://lv.queniujq.cn0%URL Reputationsafe
    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
    https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
    https://checkout.steampowered.com/0%URL Reputationsafe
    https://help.steampowered.com/0%URL Reputationsafe
    https://api.steampowered.com/0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
    https://store.steampowered.com/mobile0%URL Reputationsafe
    https://store.steampowered.com/;0%URL Reputationsafe
    https://store.steampowered.com/about/0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truetrue
      		unknown
      wrigglesight.sbs
      		unknown
      		unknowntrue
        		unknown
        ferrycheatyk.sbs
        		unknown
        		unknowntrue
          		unknown
          deepymouthi.sbs
          		unknown
          		unknowntrue
            		unknown
            monstourtu.sbs
            		unknown
            		unknowntrue
              		unknown
              captaitwik.sbs
              		unknown
              		unknowntrue
                		unknown
                snailyeductyi.sbs
                		unknown
                		unknowntrue
                  		unknown
                  heroicmint.sbs
                  		unknown
                  		unknowntrue
                    		unknown
                    sidercotay.sbs
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      wrigglesight.sbstrue
                        		unknown
                        heroicmint.sbstrue
                          		unknown
                          monstourtu.sbstrue
                            		unknown
                            snailyeductyi.sbstrue
                              		unknown
                              ferrycheatyk.sbstrue
                                		unknown
                                https://steamcommunity.com/profiles/76561199724331900true
                                  		unknown
                                  deepymouthi.sbstrue
                                    		unknown
                                    captaitwik.sbstrue
                                      		unknown
                                      sidercotay.sbstrue
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://player.vimeo.comBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://help.steampowered.com/en/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://steamcommunity.com/market/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://store.steampowered.com/news/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuXBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://www.youtube.comBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://www.google.comBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://store.steampowered.com/stats/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englisBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://medal.tvBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329540124.0000000003287000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://s.ytimg.com;BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://login.steampowered.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://store.steampowered.com/legal/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://steam.tv/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=englBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BXBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&amBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engliBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://recaptcha.netBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://store.steampowered.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=eBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://steamcommunity.comBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://sketchfab.comBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://lv.queniujq.cnBitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C42cb6563c5fec81BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.youtube.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://127.0.0.1:27060BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://ferrycheatyk.sbs/api&BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032A2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://www.google.com/recaptcha/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://checkout.steampowered.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://login.microsoftonline.us/tls:9FvJxhtNOD.exefalse
                                                                                                                      		unknown
                                                                                                                      https://help.steampowered.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://api.steampowered.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://store.steampowered.com/account/cookiepreferences/BitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330365164.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329824428.000000000327C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330672882.000000000331C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://store.steampowered.com/mobileBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://steamcommunity.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://steamcommunity.com/vBitLockerToGo.exe, 00000002.00000003.2329500911.0000000003309000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/;BitLockerToGo.exe, 00000002.00000003.2329702934.00000000032D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329540124.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330459394.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2330623196.00000000032D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/about/BitLockerToGo.exe, 00000002.00000003.2329799652.0000000003316000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.cloudflare.steamstatic.com/BitLockerToGo.exe, 00000002.00000003.2329732391.00000000032C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown

                                                                                                                              World Map of Contacted IPs

                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs

                                                                                                                              Public IPs

                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              104.102.49.254
                                                                                                                              		steamcommunity.comUnited States
                                                                                                                              		16625AKAMAI-ASUStrue

                                                                                                                              General Information

                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                              Analysis ID:1541958
                                                                                                                              Start date and time:2024-10-25 11:16:12 +02:00
                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                              Overall analysis duration:0h 5m 18s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:full
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                              Number of analysed new started processes analysed:11
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:0
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Sample name:9FvJxhtNOD.exe
                                                                                                                              renamed because original name is a hash value
                                                                                                                              Original Sample Name:a613b8807e9e08a47a81c3b1e38a31f4.exe
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal100.troj.evad.winEXE@3/0@9/1
                                                                                                                              EGA Information:
                                                                                                                              • Successful, ratio: 50%
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 86%
                                                                                                                              • Number of executed functions: 8
                                                                                                                              • Number of non-executed functions: 123
                                                                                                                              Cookbook Comments:
                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                              Warnings

                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                              • Execution Graph export aborted for target 9FvJxhtNOD.exe, PID 5688 because there are no executed function
                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                              • VT rate limit hit for: 9FvJxhtNOD.exe

                                                                                                                              Simulations

                                                                                                                              Behavior and APIs

                                                                                                                              TimeTypeDescription
                                                                                                                              05:17:24API Interceptor2x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                              Joe Sandbox View / Context

                                                                                                                              IPs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                              • www.valvesoftware.com/legal.htm

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              AKAMAI-ASUSla.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 184.50.112.86
                                                                                                                              la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.119.207.229
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              K3Kvd8JYGV.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.118.46.106
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              8DKuAcmAMT.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 23.45.0.112
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 23.0.254.211

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              Credit_Details2251397102400024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xlsGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.102.49.254
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.102.49.254

                                                                                                                              Dropped Files

                                                                                                                              No context

                                                                                                                              Created / dropped Files

                                                                                                                              No created / dropped files found

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                              Entropy (8bit):6.407044699628105
                                                                                                                              TrID:
                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                              File name:9FvJxhtNOD.exe
                                                                                                                              File size:10'662'912 bytes
                                                                                                                              MD5:a613b8807e9e08a47a81c3b1e38a31f4
                                                                                                                              SHA1:bd79889bc1ce02b5a16124184c7287e74aff1b80
                                                                                                                              SHA256:3087108fae20b7a43c9a4479af8ece396217207e6de92e735d4edfe86671b067
                                                                                                                              SHA512:74b6bb50ddd64aecc36111812502375e90154b7fcae7d3608736fe48e03ab4dd4bd263c0e9359326209e50ee5866de94b9360b289f50430dbcc7a405434dda23
                                                                                                                              SSDEEP:98304:QBHh5y9TzXrTeNb+jqtd1fA/n2Yidr9gxnyaeXNbh1q0w4:yh5kDrTePpgxnytN1fB
                                                                                                                              TLSH:7CB62941FECB95F5D903143510AB623F23315D098B26CFCBE6587F2AFA772A20A76245
                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................L......... ........ ....@..........................p....../J....@................................

                                                                                                                              File Icon

                                                                                                                              Icon Hash:aa15557559ccd579

                                                                                                                              Static PE Info

                                                                                                                              General

                                                                                                                              Entrypoint:0x46de20
                                                                                                                              Entrypoint Section:.text
                                                                                                                              Digitally signed:false
                                                                                                                              Imagebase:0x400000
                                                                                                                              Subsystem:windows gui
                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                              TLS Callbacks:
                                                                                                                              CLR (.Net) Version:
                                                                                                                              OS Version Major:6
                                                                                                                              OS Version Minor:1
                                                                                                                              File Version Major:6
                                                                                                                              File Version Minor:1
                                                                                                                              Subsystem Version Major:6
                                                                                                                              Subsystem Version Minor:1
                                                                                                                              Import Hash:4f2f006e2ecf7172ad368f8289dc96c1

                                                                                                                              Entrypoint Preview

                                                                                                                              Instruction
                                                                                                                              jmp 00007F16946F4770h
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              sub esp, 28h
                                                                                                                              mov dword ptr [esp+1Ch], ebx
                                                                                                                              mov dword ptr [esp+10h], ebp
                                                                                                                              mov dword ptr [esp+14h], esi
                                                                                                                              mov dword ptr [esp+18h], edi
                                                                                                                              mov dword ptr [esp], eax
                                                                                                                              mov dword ptr [esp+04h], ecx
                                                                                                                              call 00007F16946D9BB6h
                                                                                                                              mov eax, dword ptr [esp+08h]
                                                                                                                              mov edi, dword ptr [esp+18h]
                                                                                                                              mov esi, dword ptr [esp+14h]
                                                                                                                              mov ebp, dword ptr [esp+10h]
                                                                                                                              mov ebx, dword ptr [esp+1Ch]
                                                                                                                              add esp, 28h
                                                                                                                              retn 0004h
                                                                                                                              ret
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              sub esp, 08h
                                                                                                                              mov ecx, dword ptr [esp+0Ch]
                                                                                                                              mov edx, dword ptr [ecx]
                                                                                                                              mov eax, esp
                                                                                                                              mov dword ptr [edx+04h], eax
                                                                                                                              sub eax, 00010000h
                                                                                                                              mov dword ptr [edx], eax
                                                                                                                              add eax, 00000BA0h
                                                                                                                              mov dword ptr [edx+08h], eax
                                                                                                                              mov dword ptr [edx+0Ch], eax
                                                                                                                              lea edi, dword ptr [ecx+34h]
                                                                                                                              mov dword ptr [edx+18h], ecx
                                                                                                                              mov dword ptr [edi], edx
                                                                                                                              mov dword ptr [esp+04h], edi
                                                                                                                              call 00007F16946F6BA4h
                                                                                                                              cld
                                                                                                                              call 00007F16946F5C5Eh
                                                                                                                              call 00007F16946F4899h
                                                                                                                              add esp, 08h
                                                                                                                              ret
                                                                                                                              mov ebx, dword ptr [esp+04h]
                                                                                                                              mov dword ptr fs:[00000034h], 00000000h
                                                                                                                              mov ebp, esp
                                                                                                                              mov ecx, dword ptr [ebx+04h]
                                                                                                                              mov eax, ecx
                                                                                                                              shl eax, 02h
                                                                                                                              sub esp, eax
                                                                                                                              mov edi, esp
                                                                                                                              mov esi, dword ptr [ebx+08h]
                                                                                                                              cld
                                                                                                                              rep movsd
                                                                                                                              call dword ptr [ebx]
                                                                                                                              mov esp, ebp
                                                                                                                              mov ebx, dword ptr [esp+04h]
                                                                                                                              mov dword ptr [ebx+0Ch], eax
                                                                                                                              mov dword ptr [ebx+10h], edx
                                                                                                                              mov eax, dword ptr fs:[00000034h]

                                                                                                                              Data Directories

                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa1b0000x45e.idata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa590000xdd5c.rsrc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa1c0000x3b506.reloc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x992b800xb8.data
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                              Sections

                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                              .text0x10000x4cc6690x4cc8006e017790d788e77abca0dd6e38d3f2bbunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                              .rdata0x4ce0000x4c32640x4c340055674a0c90177f40016bf8711f1db76funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .data0x9920000x88b4c0x518005d32645087e33f8c063bca47bd0dd7bfFalse0.37371788726993865data5.496377864278092IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .idata0xa1b0000x45e0x6001b739705bc43404b25b6ecba5fef3391False0.3645833333333333data3.92186235756886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                              .reloc0xa1c0000x3b5060x3b600e831b8279c352b89f7e5fad7ffe0d235False0.5849300986842105data6.65867724722317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                              .symtab0xa580000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                              .rsrc0xa590000xdd5c0xde00d8186a72fc9b5c9d6efe4c5cdafb59e8False0.7434192004504504data7.302207021184031IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                              Resources

                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                              RT_ICON0xa592040x899ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9932160090831678
                                                                                                                              RT_ICON0xa61ba40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.32396265560165977
                                                                                                                              RT_ICON0xa6414c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4066604127579737
                                                                                                                              RT_ICON0xa651f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.45081967213114754
                                                                                                                              RT_ICON0xa65b7c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.22340425531914893
                                                                                                                              RT_GROUP_ICON0xa65fe40x4cdataEnglishUnited States0.7894736842105263
                                                                                                                              RT_VERSION0xa660300x584dataEnglishUnited States0.2776203966005666
                                                                                                                              RT_MANIFEST0xa665b40x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                              Imports

                                                                                                                              DLLImport
                                                                                                                              kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                              Possible Origin

                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                              EnglishUnited States

                                                                                                                              Network Behavior

                                                                                                                              Suricata IDS Alerts

                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                              2024-10-25T11:17:25.516258+02002056752ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deepymouthi .sbs)1192.168.2.6548221.1.1.153UDP
                                                                                                                              2024-10-25T11:17:25.536230+02002056760ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (monstourtu .sbs)1192.168.2.6571811.1.1.153UDP
                                                                                                                              2024-10-25T11:17:25.557227+02002056756ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (heroicmint .sbs)1192.168.2.6611971.1.1.153UDP
                                                                                                                              2024-10-25T11:17:25.569379+02002056762ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sidercotay .sbs)1192.168.2.6512771.1.1.153UDP
                                                                                                                              2024-10-25T11:17:25.581286+02002056750ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captaitwik .sbs)1192.168.2.6535941.1.1.153UDP
                                                                                                                              2024-10-25T11:17:25.592113+02002056766ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrigglesight .sbs)1192.168.2.6644621.1.1.153UDP
                                                                                                                              2024-10-25T11:17:25.607717+02002056754ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferrycheatyk .sbs)1192.168.2.6620101.1.1.153UDP
                                                                                                                              2024-10-25T11:17:25.620501+02002056764ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snailyeductyi .sbs)1192.168.2.6497961.1.1.153UDP
                                                                                                                              2024-10-25T11:17:27.100788+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.649766104.102.49.254443TCP

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 25, 2024 11:17:25.645214081 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:25.645250082 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.645329952 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:25.648660898 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:25.648689985 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:26.489995003 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:26.490104914 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:26.491774082 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:26.491801977 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:26.492213011 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:26.546874046 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:26.549082041 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:26.591334105 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.100985050 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.101061106 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.101066113 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.101092100 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.101121902 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.101141930 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.101171017 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.101229906 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.101298094 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.101315975 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.104576111 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.104635000 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.104665041 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.104680061 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.104712009 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.104758024 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.104769945 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.104831934 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.104916096 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.107137918 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.107157946 CEST44349766104.102.49.254192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:27.107171059 CEST49766443192.168.2.6104.102.49.254
                                                                                                                              Oct 25, 2024 11:17:27.107182980 CEST44349766104.102.49.254192.168.2.6

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 25, 2024 11:17:25.516258001 CEST5482253192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.525902987 CEST53548221.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.536230087 CEST5718153192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.555172920 CEST53571811.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.557226896 CEST6119753192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.566868067 CEST53611971.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.569379091 CEST5127753192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.579601049 CEST53512771.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.581285954 CEST5359453192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.590874910 CEST53535941.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.592113018 CEST6446253192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.603903055 CEST53644621.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.607717037 CEST6201053192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.617810965 CEST53620101.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.620501041 CEST4979653192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.630557060 CEST53497961.1.1.1192.168.2.6
                                                                                                                              Oct 25, 2024 11:17:25.632800102 CEST5650553192.168.2.61.1.1.1
                                                                                                                              Oct 25, 2024 11:17:25.640492916 CEST53565051.1.1.1192.168.2.6

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Oct 25, 2024 11:17:25.516258001 CEST192.168.2.61.1.1.10x24f7Standard query (0)deepymouthi.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.536230087 CEST192.168.2.61.1.1.10x72b3Standard query (0)monstourtu.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.557226896 CEST192.168.2.61.1.1.10x81faStandard query (0)heroicmint.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.569379091 CEST192.168.2.61.1.1.10x6335Standard query (0)sidercotay.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.581285954 CEST192.168.2.61.1.1.10xd6cbStandard query (0)captaitwik.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.592113018 CEST192.168.2.61.1.1.10xec73Standard query (0)wrigglesight.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.607717037 CEST192.168.2.61.1.1.10xa1aStandard query (0)ferrycheatyk.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.620501041 CEST192.168.2.61.1.1.10x69dfStandard query (0)snailyeductyi.sbsA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.632800102 CEST192.168.2.61.1.1.10xfee9Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Oct 25, 2024 11:17:25.525902987 CEST1.1.1.1192.168.2.60x24f7Name error (3)deepymouthi.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.555172920 CEST1.1.1.1192.168.2.60x72b3Name error (3)monstourtu.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.566868067 CEST1.1.1.1192.168.2.60x81faName error (3)heroicmint.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.579601049 CEST1.1.1.1192.168.2.60x6335Name error (3)sidercotay.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.590874910 CEST1.1.1.1192.168.2.60xd6cbName error (3)captaitwik.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.603903055 CEST1.1.1.1192.168.2.60xec73Name error (3)wrigglesight.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.617810965 CEST1.1.1.1192.168.2.60xa1aName error (3)ferrycheatyk.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.630557060 CEST1.1.1.1192.168.2.60x69dfName error (3)snailyeductyi.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                              Oct 25, 2024 11:17:25.640492916 CEST1.1.1.1192.168.2.60xfee9No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • steamcommunity.com

                                                                                                                              HTTPS Proxied Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              0192.168.2.649766104.102.49.2544435328C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-10-25 09:17:26 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                              Connection: Keep-Alive
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                              Host: steamcommunity.com
                                                                                                                              2024-10-25 09:17:27 UTC1917INHTTP/1.1 200 OK
                                                                                                                              Server: nginx
                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                              Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                              Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                              Cache-Control: no-cache
                                                                                                                              Date: Fri, 25 Oct 2024 09:17:26 GMT
                                                                                                                              Content-Length: 26105
                                                                                                                              Connection: close
                                                                                                                              Set-Cookie: sessionid=65d75f5af747cc5d9ef6dab2; Path=/; Secure; SameSite=None
                                                                                                                              Set-Cookie: steamCountry=US%7C42cb6563c5fec8103907e3e99aebe27b; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                              2024-10-25 09:17:27 UTC14467INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                              Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                              2024-10-25 09:17:27 UTC11638INData Raw: 22 3f 6c 3d 74 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 20 28 54 72 61 64 69 74 69 6f 6e 61 6c 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 6a 61 70 61 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6a 61 70 61 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e6 97 a5 e6 9c ac e8 aa 9e 20 28 4a
                                                                                                                              Data Ascii: "?l=tchinese" onclick="ChangeLanguage( 'tchinese' ); return false;"> (Traditional Chinese)</a><a class="popup_menu_item tight" href="?l=japanese" onclick="ChangeLanguage( 'japanese' ); return false;"> (J


                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:0
                                                                                                                              Start time:05:17:11
                                                                                                                              Start date:25/10/2024
                                                                                                                              Path:C:\Users\user\Desktop\9FvJxhtNOD.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\Desktop\9FvJxhtNOD.exe"
                                                                                                                              Imagebase:0xf00000
                                                                                                                              File size:10'662'912 bytes
                                                                                                                              MD5 hash:A613B8807E9E08A47A81C3B1E38A31F4
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2317240460.000000000A2DC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2290697245.000000000A5AC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2317711192.000000000A5AC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                              Reputation:low
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:2
                                                                                                                              Start time:05:17:21
                                                                                                                              Start date:25/10/2024
                                                                                                                              Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                              Imagebase:0xb10000
                                                                                                                              File size:231'736 bytes
                                                                                                                              MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              Disassembly

                                                                                                                              Reset < >

                                                                                                                                Non-executed Functions

                                                                                                                                Function 00F39C00 Relevance: 10.2, Strings: 8, Instructions: 182COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                • %, xrefs: 00F39F3E
                                                                                                                                • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerhttp2: aborting request body writehttp: persistConn.readLoop exitinghttp: read on closed r, xrefs: 00F39E7F
                                                                                                                                • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=reflect: CallSlice with too many input argumentscrypto/rsa: input must be hashed with given hashx509: X25519 key enc, xrefs: 00F39EDA
                                                                                                                                • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!cannot create context from nil parenthttp: invalid byte %q in Cookie.Valueu, xrefs: 00F39F35
                                                                                                                                • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 00F39E4B
                                                                                                                                • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errorhttp: putIdleConn: connection is in, xrefs: 00F39F01
                                                                                                                                • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errorhttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.O, xrefs: 00F39EA6
                                                                                                                                • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of rangecontext.TODO%!(BADWIDTH)content-typeContent-TypeCookie.V, xrefs: 00F39E24
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.2314254661.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                                                                                                                • Associated: 00000000.00000002.2314233211.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2314659490.00000000013CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315111540.0000000001892000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315148922.0000000001895000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315175780.0000000001896000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315204988.0000000001897000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315222377.0000000001899000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315240782.000000000189A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315272059.00000000018D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315292317.00000000018E1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.00000000018E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.00000000018EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.000000000190A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.0000000001911000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315394328.000000000191B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315413462.000000000191C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315413462.0000000001959000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_f00000_9FvJxhtNOD.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: %$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=reflect: CallSlice with too many input argumentscrypto/rsa: input must be hashed with given hashx509: X25519 key enc$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerhttp2: aborting request body writehttp: persistConn.readLoop exitinghttp: read on closed r$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of rangecontext.TODO%!(BADWIDTH)content-typeContent-TypeCookie.V$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errorhttp: putIdleConn: connection is in$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!cannot create context from nil parenthttp: invalid byte %q in Cookie.Valueu$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errorhttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.O$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
                                                                                                                                • API String ID: 0-2580123715
                                                                                                                                • Opcode ID: 1b72fbe012dd08f1b3208b4d5b953dee4f92b4d84453de7354fd9d66edd4f0a8
                                                                                                                                • Instruction ID: 86c28b2117bf7135aaa158be55f9836a59f901fb05b97b56020500565016f0a0
                                                                                                                                • Opcode Fuzzy Hash: 1b72fbe012dd08f1b3208b4d5b953dee4f92b4d84453de7354fd9d66edd4f0a8
                                                                                                                                • Instruction Fuzzy Hash: 8191E2B49087019FD710EF64D48575ABBE0BF88724F00892CF4988B392D7B9D949EF52
                                                                                                                                Function 00F4A2C0 Relevance: 6.3, Strings: 5, Instructions: 83COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                • p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancel%!(BADPREC)nil contextretry-afterhttp2se, xrefs: 00F4A3C3
                                                                                                                                • m->p= p->m=SCHED curg= ctxt: min= max= (...) base , val Format[]byteserverBasic CookiecookieexpectoriginclosedmethodExpectPragmasocks activesocks5CANCELGOAWAYPADDEDAcceptuint16uint32uint64structchan<-<-chan ValueSTREET-----netdns.localreturn.onionip+netdo, xrefs: 00F4A377
                                                                                                                                • releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of rangecontext.TODO%!(BADWIDTH)content-typeContent-TypeCookie.Valuemax-forwardshttp2debug=1http2debug=2100-continuerecv_goaway_status code Multi-StatusNot Modi, xrefs: 00F4A355
                                                                                                                                • releasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionkey is not comparablefeature not supportedhttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTri, xrefs: 00F4A40D
                                                                                                                                • releasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStartunexpected key value typeExpandEnvironmentStringsWcontext de, xrefs: 00F4A3F7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.2314254661.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                                                                                                                • Associated: 00000000.00000002.2314233211.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2314659490.00000000013CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315111540.0000000001892000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315148922.0000000001895000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315175780.0000000001896000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315204988.0000000001897000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315222377.0000000001899000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315240782.000000000189A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315272059.00000000018D5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315292317.00000000018E1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.00000000018E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.00000000018EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.000000000190A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315309868.0000000001911000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315394328.000000000191B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315413462.000000000191C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                • Associated: 00000000.00000002.2315413462.0000000001959000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_0_2_f00000_9FvJxhtNOD.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: m->p= p->m=SCHED curg= ctxt: min= max= (...) base , val Format[]byteserverBasic CookiecookieexpectoriginclosedmethodExpectPragmasocks activesocks5CANCELGOAWAYPADDEDAcceptuint16uint32uint64structchan<-<-chan ValueSTREET-----netdns.localreturn.onionip+netdo$ p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancel%!(BADPREC)nil contextretry-afterhttp2se$releasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionkey is not comparablefeature not supportedhttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTri$releasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStartunexpected key value typeExpandEnvironmentStringsWcontext de$releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of rangecontext.TODO%!(BADWIDTH)content-typeContent-TypeCookie.Valuemax-forwardshttp2debug=1http2debug=2100-continuerecv_goaway_status code Multi-StatusNot Modi
                                                                                                                                • API String ID: 0-2133141904
                                                                                                                                • Opcode ID: 3d96550d60c2de6516225d4dcddecd1ade60364e1adbed5a782d5dabb3c13302
                                                                                                                                • Instruction ID: c784026a53e81dafad9663811392b1d1798bf892bb439f3164ceacea5c4d8183
                                                                                                                                • Opcode Fuzzy Hash: 3d96550d60c2de6516225d4dcddecd1ade60364e1adbed5a782d5dabb3c13302
                                                                                                                                • Instruction Fuzzy Hash: BF41D6B4908705CFD310EF24D59566EBBE0BF88714F41886DE88887362D779D888EB92

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:1.4%
                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                Signature Coverage:32.6%
                                                                                                                                Total number of Nodes:46
                                                                                                                                Total number of Limit Nodes:2
                                                                                                                                execution_graph 19942 40d3b0 19944 40d3b8 19942->19944 19943 40d422 ExitProcess 19944->19943 19945 40d418 19944->19945 19946 40d3f4 GetCurrentThreadId GetForegroundWindow 19944->19946 19945->19943 19947 40d404 GetCurrentProcessId 19946->19947 19948 40d40a 19946->19948 19947->19948 19948->19945 19950 4109e0 CoInitializeEx 19948->19950 19918 443185 19919 4431a0 19918->19919 19919->19919 19920 4431bd GetForegroundWindow 19919->19920 19921 4431d9 19920->19921 19922 4429c5 19924 442a00 19922->19924 19923 442a4e 19923->19923 19928 4427e0 LdrInitializeThunk 19923->19928 19924->19923 19929 4427e0 LdrInitializeThunk 19924->19929 19927 442b61 19928->19927 19929->19923 19951 442c95 19952 442cb0 19951->19952 19954 442d13 19952->19954 19958 4427e0 LdrInitializeThunk 19952->19958 19957 4427e0 LdrInitializeThunk 19954->19957 19956 442fdb 19957->19956 19958->19954 19959 442795 19960 44279c RtlReAllocateHeap 19959->19960 19930 43fa86 19931 43fadd 19930->19931 19932 43facc RtlFreeHeap 19930->19932 19933 43fa94 19930->19933 19932->19931 19933->19932 19934 442e81 19935 442ea0 19934->19935 19935->19935 19936 442f02 19935->19936 19941 4427e0 LdrInitializeThunk 19935->19941 19940 4427e0 LdrInitializeThunk 19936->19940 19939 4430bd 19940->19939 19941->19936 19966 442bb1 19967 442be0 19966->19967 19968 442c2e 19967->19968 19970 4427e0 LdrInitializeThunk 19967->19970 19970->19968 19971 44339b 19972 4433a5 19971->19972 19975 44348e 19972->19975 19978 4427e0 LdrInitializeThunk 19972->19978 19974 44359e 19975->19974 19977 4427e0 LdrInitializeThunk 19975->19977 19977->19974 19978->19975

                                                                                                                                Executed Functions

                                                                                                                                Function 0040F3E0 Relevance: 14.1, Strings: 11, Instructions: 399COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 0 40f3e0-40f468 1 40f470-40f479 0->1 1->1 2 40f47b-40f48e 1->2 4 40f713-40f717 2->4 5 40f7b3-40f7bc 2->5 6 40f495-40f497 2->6 7 40f49c-40f6cb 2->7 8 40f71c-40f7ac call 40ca80 2->8 9 40f7be 2->9 10 40f7e3-40f7ef 4->10 12 40f7d9 5->12 13 40f7f2-40f7f9 6->13 14 40f6d0-40f6f5 7->14 8->5 8->9 20 40f900-40f90e 8->20 21 40f800-40f801 8->21 22 40f8c0 8->22 23 40f8e1 8->23 24 40f7c4-40f7cd 8->24 25 40fa25-40fa3a 8->25 26 40f8e7-40f8f0 8->26 27 40f827 8->27 28 40f8c9-40f8d1 8->28 29 40f86a-40f876 8->29 30 40f9eb-40fa0f 8->30 31 40f80e-40f820 8->31 32 40f850-40f861 call 442720 8->32 33 40f830-40f844 call 442720 8->33 34 40f8b1-40f8b9 8->34 35 40fa16 8->35 36 40f8d6-40f8dc 8->36 37 40f8f7-40f8fe 8->37 38 40f9b7-40f9c3 8->38 39 40f87d-40f8aa 8->39 10->13 17 40f7e0 12->17 14->14 15 40f6f7-40f702 14->15 18 40f705-40f70c 15->18 17->10 18->4 18->5 18->8 18->9 18->20 18->21 18->22 18->23 18->24 18->25 18->26 18->27 18->28 18->29 18->30 18->31 18->32 18->33 18->34 18->35 18->36 18->37 18->38 18->39 42 40f910-40f924 20->42 49 40f808 21->49 22->28 40 40f7d0 24->40 26->20 26->21 26->22 26->24 26->25 26->27 26->28 26->29 26->30 26->31 26->32 26->33 26->34 26->35 26->36 26->37 26->38 26->39 27->33 28->21 29->22 29->34 29->36 29->39 30->21 30->22 30->25 30->27 30->28 30->29 30->31 30->32 30->33 30->34 30->35 30->36 30->39 31->22 31->27 31->29 31->32 31->33 31->34 31->36 31->39 32->29 33->32 34->22 34->36 54 40fa1d-40fa20 35->54 36->35 41 40f92c-40f94f 37->41 50 40f9ca-40f9e4 38->50 39->22 39->34 39->36 40->12 48 40f950-40f991 41->48 42->42 47 40f926-40f929 42->47 47->41 48->48 55 40f993-40f9b0 48->55 49->31 50->21 50->22 50->25 50->27 50->28 50->29 50->30 50->31 50->32 50->33 50->34 50->35 50->36 50->39 54->40 55->21 55->22 55->24 55->25 55->27 55->28 55->29 55->30 55->31 55->32 55->33 55->34 55->35 55->36 55->38 55->39
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: %W)Q$*_#Y$-S+]$4G&A$HW$M3L=$M7@1$W+W5$Y_$\?V9$OI
                                                                                                                                • API String ID: 0-3646262867
                                                                                                                                • Opcode ID: b8f432f1219f78762679f535919315caee983cfd325f14dbd0f1bcd05d0262c3
                                                                                                                                • Instruction ID: e9beee161f02e862694e74e31dd929792c823f84bf43205f59f68e2a6d08fc3e
                                                                                                                                • Opcode Fuzzy Hash: b8f432f1219f78762679f535919315caee983cfd325f14dbd0f1bcd05d0262c3
                                                                                                                                • Instruction Fuzzy Hash: B3F165B5200B40CFD3248F29D895797BBF4FB45714F148A2DE5AA8BAA0C774B409CF95
                                                                                                                                Function 0040FA60 Relevance: 4.3, Strings: 3, Instructions: 549COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 77 40fa60-40fcbf 78 40fcc0-40fcd7 77->78 78->78 79 40fcd9-40fcf3 78->79 81 40fea0-40fea4 79->81 82 40fdd2-40fdeb 79->82 83 40fd23-40fd46 79->83 84 40fdc9-40fdcd 79->84 85 40fea9-40feb0 79->85 86 40fcfa-40fd03 79->86 89 410311 81->89 88 40fdf0-40fe1d 82->88 94 40fd50-40fda0 83->94 87 41031b-41033a 84->87 90 410043-4100ab 85->90 91 4101c2-4101ea 85->91 92 40feb7 85->92 93 40febd-40ff2a 85->93 86->83 87->90 87->91 108 410201-410215 87->108 109 410280-41028c 87->109 110 410240-410261 87->110 111 410300 87->111 112 410268 87->112 113 4102eb 87->113 114 41030a 87->114 115 4102ac-4102ca call 442720 87->115 116 41026e-41027a 87->116 117 4102d1-4102d6 87->117 118 4102f1-4102f5 87->118 119 410230 87->119 120 410292-4102a5 87->120 121 4102dd-4102e4 87->121 122 41021c-41022f 87->122 88->88 97 40fe1f-40fe4b 88->97 89->87 98 4100b0-410148 90->98 101 4101f1-4101fa 91->101 92->93 95 40ff30-40ffc8 93->95 94->94 96 40fda2-40fdc2 94->96 95->95 99 40ffce-40ffd9 95->99 96->81 96->82 96->84 96->85 100 40fe50-40fe75 97->100 98->98 103 41014e-410159 98->103 104 40fff1-410000 99->104 105 40ffdb-40ffdf 99->105 100->100 107 40fe77-40fe99 100->107 101->108 101->109 101->110 101->111 101->112 101->113 101->114 101->115 101->116 101->117 101->118 101->119 101->120 101->121 101->122 123 410171-410180 103->123 124 41015b-41015f 103->124 126 410002-410004 104->126 127 410025-41003d 104->127 125 40ffe0-40ffef 105->125 107->81 107->85 108->109 108->110 108->111 108->112 108->113 108->114 108->115 108->116 108->117 108->118 108->119 108->120 108->121 108->122 109->120 110->111 110->112 110->113 110->114 110->118 110->121 111->114 114->89 115->110 115->111 115->112 115->113 115->114 115->117 115->118 115->121 116->109 117->111 117->112 117->113 117->114 117->118 117->121 118->111 120->110 120->111 120->112 120->113 120->114 120->115 120->117 120->118 120->121 121->111 121->113 121->114 121->118 122->119 130 410182-410184 123->130 131 4101a5-4101bd 123->131 129 410160-41016f 124->129 125->104 125->125 133 410010-410021 126->133 127->90 129->123 129->129 137 410190-4101a1 130->137 131->91 133->133 140 410023 133->140 137->137 142 4101a3 137->142 140->127 142->131
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: !%$#4$+(
                                                                                                                                • API String ID: 0-3417874192
                                                                                                                                • Opcode ID: 497de5ca66d91de7c8c6126e8c82637f810e4af574d2ce4458f7ebc7d53c0468
                                                                                                                                • Instruction ID: 767dabb064566e5d4e4bde100089e040bc6de3801658a884cd438d14a949796c
                                                                                                                                • Opcode Fuzzy Hash: 497de5ca66d91de7c8c6126e8c82637f810e4af574d2ce4458f7ebc7d53c0468
                                                                                                                                • Instruction Fuzzy Hash: 0022DDB51083859FE320DF65D8507ABBBE2FFC5301F14892CE1C58B661EB788845CB8A
                                                                                                                                Function 00443185 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 154 443185-44319f 155 4431a0-4431bb 154->155 155->155 156 4431bd-4431d4 GetForegroundWindow call 445c20 155->156 158 4431d9-4431fc 156->158
                                                                                                                                APIs
                                                                                                                                • GetForegroundWindow.USER32 ref: 004431CB
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ForegroundWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2020703349-0
                                                                                                                                • Opcode ID: 189079d9c345ad3d678eb6942f63586cca19e05d25fa8d7cd2d23539d957d56f
                                                                                                                                • Instruction ID: 0db8f81c7e7f3c734070221f531c27a0c77671bc68a3fb859565ace3fb91af14
                                                                                                                                • Opcode Fuzzy Hash: 189079d9c345ad3d678eb6942f63586cca19e05d25fa8d7cd2d23539d957d56f
                                                                                                                                • Instruction Fuzzy Hash: 62F0AF75E183408BF3049B28E84566ABBE1E792316F04483EE181D3382D529C545CB4A
                                                                                                                                Function 00442795 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 159 442795-4427a5 RtlReAllocateHeap
                                                                                                                                APIs
                                                                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000), ref: 004427A5
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocateHeap
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                • Opcode ID: 23f7856c11fe6dde84ab91d72e1dd37d8937cf4f881b6920fe659098721de8be
                                                                                                                                • Instruction ID: a5dafc369a3dc61aaf89cbc4db744fb32cfccaed77666beb4a0acf6a833bc767
                                                                                                                                • Opcode Fuzzy Hash: 23f7856c11fe6dde84ab91d72e1dd37d8937cf4f881b6920fe659098721de8be
                                                                                                                                • Instruction Fuzzy Hash: AFC09264A42354F4E4301A220C4EFBBBD3CCB83B52F1034943105360820964E000C0BC
                                                                                                                                Function 004427E0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 161 4427e0-442812 LdrInitializeThunk
                                                                                                                                APIs
                                                                                                                                • LdrInitializeThunk.NTDLL(00446000,005C003F,00000006,?,?,00000018,?,?,?), ref: 0044280E
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
                                                                                                                                • Instruction ID: 88b266f08c8d8dc656098dc4a5309144cffe720ba9f358246b073a6e310c2786
                                                                                                                                • Opcode Fuzzy Hash: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
                                                                                                                                • Instruction Fuzzy Hash: 47E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                Function 0040E452 Relevance: .5, Instructions: 523COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 248 40e452-40e460 call 441510 251 40e6c0 248->251 252 40e5c0-40e5f8 call 43de50 call 40ebf0 call 40ee90 248->252 253 40e620 248->253 254 40e6a0 248->254 255 40e6c6-40e6cb 248->255 256 40e626-40e635 248->256 257 40e6a6-40e6b1 248->257 258 40e6ea-40e813 248->258 259 40e470 248->259 260 40e610 248->260 261 40e6d0 248->261 262 40e6d2-40e6e3 248->262 263 40e693 248->263 264 40e476-40e478 248->264 265 40e656-40e665 248->265 266 40e47d-40e5b6 call 445420 * 12 248->266 267 40e5ff-40e605 248->267 252->253 252->254 252->255 252->256 252->257 252->258 252->260 252->261 252->262 252->263 252->265 252->267 275 40e880-40e8a5 252->275 276 40e8e9 252->276 277 40e8d0 252->277 278 40e8d6-40e8d9 252->278 279 40e81b-40e820 252->279 255->261 271 40e651 256->271 272 40e637-40e639 256->272 257->251 257->252 257->253 257->254 257->255 257->256 257->257 257->258 257->260 257->261 257->262 257->263 257->265 257->267 257->275 257->276 257->277 257->278 257->279 258->279 259->264 260->253 262->258 262->275 262->276 262->277 262->278 262->279 263->254 269 40eb5e-40eb65 264->269 273 40e681-40e68a 265->273 274 40e667-40e669 265->274 266->251 266->252 266->253 266->254 266->255 266->256 266->257 266->258 266->260 266->261 266->262 266->263 266->265 266->267 266->275 266->276 266->277 266->278 266->279 267->260 271->265 296 40e640-40e64f 272->296 273->263 297 40e670-40e67f 274->297 275->275 281 40e8a7-40e8b3 call 40f3e0 275->281 289 40e8ee-40e95b 276->289 283 40e8e0-40e8e4 278->283 284 40e9e0-40e9f9 278->284 285 40ea83-40ea8b 278->285 286 40eb05-40eb17 278->286 287 40eb66-40eb74 278->287 288 40eb88-40eb93 278->288 278->289 290 40eaef-40eafe 278->290 291 40eab0-40eae8 278->291 292 40eb53 278->292 293 40ebb6-40ebc1 278->293 294 40eb77-40eb86 call 43fa70 278->294 295 40eb1e-40eb4c call 40ebf0 call 40ee90 278->295 298 40e822 279->298 299 40e858-40e874 call 40f3e0 279->299 317 40e8b8-40e8bb 281->317 306 40eb59-40eb5b 283->306 312 40ea00-40ea2a 284->312 304 40ea90-40ea98 285->304 286->286 286->287 286->288 286->290 286->291 286->292 286->293 286->295 287->294 310 40ebb1 288->310 311 40eb95-40eb98 288->311 308 40e960-40e98b 289->308 290->286 290->287 290->288 290->291 290->293 291->286 291->287 291->288 291->290 291->291 291->292 291->293 291->295 313 40ebe1-40ebe6 293->313 314 40ebc3-40ebc6 293->314 294->306 295->286 295->287 295->288 295->291 295->292 295->293 296->271 296->296 297->273 297->297 300 40e830-40e856 298->300 299->275 300->299 300->300 304->304 318 40ea9a-40eaa3 304->318 306->269 308->308 321 40e98d-40e9a5 308->321 310->293 323 40eba0-40ebaf 311->323 312->312 324 40ea2c-40ea3a 312->324 325 40ebd0-40ebdf 314->325 317->277 318->286 318->287 318->288 318->290 318->291 318->292 318->293 318->295 329 40e9d2-40e9d9 321->329 330 40e9a7-40e9ae 321->330 323->310 323->323 331 40ea75-40ea7c 324->331 332 40ea3c-40ea48 324->332 325->313 325->325 329->284 329->285 329->286 329->287 329->288 329->290 329->291 329->292 329->293 329->294 329->295 336 40e9b7-40e9bb 330->336 331->285 331->286 331->287 331->288 331->290 331->291 331->292 331->293 331->294 331->295 337 40ea57-40ea5b 332->337 339 40e9d0 336->339 340 40e9bd-40e9c4 336->340 341 40ea73 337->341 342 40ea5d-40ea64 337->342 339->329 346 40e9c6-40e9c8 340->346 347 40e9ca 340->347 341->331 343 40ea66-40ea68 342->343 344 40ea6a-40ea6d 342->344 343->344 348 40ea50-40ea55 344->348 349 40ea6f-40ea71 344->349 346->347 351 40e9b0-40e9b5 347->351 352 40e9cc-40e9ce 347->352 348->331 348->337 349->348 351->329 351->336 352->351
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 8bb9aebb9c54b6490bca37f358bf16680bae44c0cd9852744c619d89cdc703e0
                                                                                                                                • Instruction ID: 4178bb652700424da6393f65ed6620f78e34413e87d8e20b939448e80949a007
                                                                                                                                • Opcode Fuzzy Hash: 8bb9aebb9c54b6490bca37f358bf16680bae44c0cd9852744c619d89cdc703e0
                                                                                                                                • Instruction Fuzzy Hash: 6F0225B5904228CBDB108F25EC517EA77B1EF46305F0885B9D8897B392E3398E95CF58
                                                                                                                                Function 0040D3B0 Relevance: 6.0, APIs: 4, Instructions: 38threadCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CurrentProcess$ExitForegroundThreadWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3118123366-0
                                                                                                                                • Opcode ID: acaf13d4bb5d5f6d6abae6252a9918f372806909d9f32ed8bd04108ea8cc3273
                                                                                                                                • Instruction ID: e990a1058eb6ca0a81df5c7457857071c9d41d060ee41e8a1c2aff74a05b9a15
                                                                                                                                • Opcode Fuzzy Hash: acaf13d4bb5d5f6d6abae6252a9918f372806909d9f32ed8bd04108ea8cc3273
                                                                                                                                • Instruction Fuzzy Hash: 7EF0907454424097EB103BF6AD0A35F6B909F42359F04493EE991A72E2DA78445D862F
                                                                                                                                Function 0043FA86 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 144 43fa86-43fa8d 145 43fab0-43fac2 144->145 146 43fa94-43faa1 144->146 147 43fae4-43faeb 144->147 148 43fadd-43fae3 144->148 149 43facc-43fad7 RtlFreeHeap 144->149 145->145 151 43fac4 145->151 146->145 147->145 150 43faed-43faef 147->150 149->148 152 43faf0-43fb00 150->152 151->149 152->152 153 43fb02 152->153 153->145
                                                                                                                                APIs
                                                                                                                                • RtlFreeHeap.NTDLL(?,00000000), ref: 0043FAD7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FreeHeap
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3298025750-0
                                                                                                                                • Opcode ID: 7488e419f0cfcea59d1e9376a0c7e4a990412072db6e5d18cbf69759d3c82282
                                                                                                                                • Instruction ID: d179b2b5983affe406d73870410ae40159b4c9204c8d55e287f8208188dbf883
                                                                                                                                • Opcode Fuzzy Hash: 7488e419f0cfcea59d1e9376a0c7e4a990412072db6e5d18cbf69759d3c82282
                                                                                                                                • Instruction Fuzzy Hash: 5E01F974E45351DFD7114F24DC817963B21EB87319F28D4F9C5450AA23C13A8817EA04

                                                                                                                                Non-executed Functions

                                                                                                                                Function 0041FAC0 Relevance: 22.9, Strings: 17, Instructions: 1635COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$%*+$%&' $()./$0$1+%6$123($4$5670$9:;D$<E:G$@A$ADD!$Q=A?$\#hb$sd[m$t#hb
                                                                                                                                • API String ID: 0-2376865391
                                                                                                                                • Opcode ID: ff9e2e8eb71838ade9466877f717999b75702e22e96f871a1df983e868678c7b
                                                                                                                                • Instruction ID: 0cdfcdb6ad0cba2ef8dd4ab68e61697dceadea425052f72921e7c4d480545894
                                                                                                                                • Opcode Fuzzy Hash: ff9e2e8eb71838ade9466877f717999b75702e22e96f871a1df983e868678c7b
                                                                                                                                • Instruction Fuzzy Hash: DCC2FF716083908BD734CF25D8907ABBBE1EFD5304F58892EE5C98B392DB789405CB96
                                                                                                                                Function 0042887E Relevance: 20.9, Strings: 16, Instructions: 923COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: %e6g$(M9K$(a*c$5e3c$7y=w$9i)g$9us$<m&k$>y<{$?m,o$@A$Gt$S}$\9g7$`1J/$y5`3
                                                                                                                                • API String ID: 0-3300013789
                                                                                                                                • Opcode ID: b3ae8b8b114709f05f7697672f671d91b0358f3eae97932b41e65e00ba6aa127
                                                                                                                                • Instruction ID: 5475ced32265a01936ecc1564a96b4a0b0edaac9dccd36e81ee5a3d0dd4edc8f
                                                                                                                                • Opcode Fuzzy Hash: b3ae8b8b114709f05f7697672f671d91b0358f3eae97932b41e65e00ba6aa127
                                                                                                                                • Instruction Fuzzy Hash: 53B209B450D3858AE374CF169585BCFBAE2BBD6304F508A2DC5DDAB245DBB4004A8F93
                                                                                                                                Function 00401000 Relevance: 19.5, Strings: 14, Instructions: 1989COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $ $ $ $ $ $ $-$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff$gfff
                                                                                                                                • API String ID: 0-3131871939
                                                                                                                                • Opcode ID: 4688b2b43ab63ef7a6da01349447995b98ef1e8e7db967d5f962d2d7eb776118
                                                                                                                                • Instruction ID: 101777ef22c6754d8b64c349831144d5e0a61e6f468e081381994eb0c170f9ac
                                                                                                                                • Opcode Fuzzy Hash: 4688b2b43ab63ef7a6da01349447995b98ef1e8e7db967d5f962d2d7eb776118
                                                                                                                                • Instruction Fuzzy Hash: 14E2D2716083418FC718CF28C49436BBBE2AF95314F18867EE495AB3D1D778D949CB8A
                                                                                                                                Function 00410A25 Relevance: 18.5, APIs: 2, Strings: 8, Instructions: 955COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "$&$>)67$@-?+$DC$K%Q#$L!C/$t
                                                                                                                                • API String ID: 0-2800533710
                                                                                                                                • Opcode ID: b78a32198d2853b99fbd9902af1043299c07f47d5d587fb1560fd5f5fd90c3ff
                                                                                                                                • Instruction ID: 22d6a7fce826a70158146a363462a3deb8b5a2485124a75c425d80baadd12ee7
                                                                                                                                • Opcode Fuzzy Hash: b78a32198d2853b99fbd9902af1043299c07f47d5d587fb1560fd5f5fd90c3ff
                                                                                                                                • Instruction Fuzzy Hash: 545266B550D3908BD3309F2598917EFBBE1AF92308F08492ED4C95B342DB79454ACB9B
                                                                                                                                Function 0043D51B Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 582memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0043D58C
                                                                                                                                • SysAllocString.OLEAUT32(49B14BA1), ref: 0043D625
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocString
                                                                                                                                • String ID: 7S
                                                                                                                                • API String ID: 2525500382-3215821608
                                                                                                                                • Opcode ID: ae1e4323c879f9612ef9c138f1dd212f8f4ba9ed18c7680e73838219a9c60faf
                                                                                                                                • Instruction ID: 90ec29fec93c7cfd4de07fd8a6ff55c7651c72fb09f0651a70dab8b8418a7737
                                                                                                                                • Opcode Fuzzy Hash: ae1e4323c879f9612ef9c138f1dd212f8f4ba9ed18c7680e73838219a9c60faf
                                                                                                                                • Instruction Fuzzy Hash: 5D121C75A04B00CFD7248F64E895B6BB7F1FB89315F14882DE4868B3A1D779E806CB48
                                                                                                                                Function 0040DCE0 Relevance: 17.8, Strings: 14, Instructions: 335COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 7CuA$>O8M$@;A9$A7S5$D[$J#Y!$KK1I$L3V1$SGXE$h$h'm%$s+\)$s?A=$t|z
                                                                                                                                • API String ID: 0-3010994514
                                                                                                                                • Opcode ID: 86a504a3698064a25f81ded41ea5c062fb61d31d3ea170969a156a27c4bd3615
                                                                                                                                • Instruction ID: 7761f034c74f9c9e30e935b1b5e7218b8f50131cc6efa359640df16dfdcc2a13
                                                                                                                                • Opcode Fuzzy Hash: 86a504a3698064a25f81ded41ea5c062fb61d31d3ea170969a156a27c4bd3615
                                                                                                                                • Instruction Fuzzy Hash: E1C1AEB16083808BD314DF25D885B6FBBE5EBD1318F04892DE0D59B292D779C50A8B97
                                                                                                                                Function 004012D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
                                                                                                                                • API String ID: 0-3385986306
                                                                                                                                • Opcode ID: a1f43db2f7be09718708c2903418f5fece49f3b1bd945d9c53d8bd7931b09763
                                                                                                                                • Instruction ID: 0fed1d273d18c9fc80819ead81e234c72aa7e2066967220cc219484fac48f78a
                                                                                                                                • Opcode Fuzzy Hash: a1f43db2f7be09718708c2903418f5fece49f3b1bd945d9c53d8bd7931b09763
                                                                                                                                • Instruction Fuzzy Hash: 8282D5756093418FC719CF28C69431BBBE1AB85304F18896EE8D6A73D1D3B8DD05CB8A
                                                                                                                                Function 0043C8B0 Relevance: 15.3, Strings: 12, Instructions: 287COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: H$J$O$P$S$V$v$x$|$|$~$~
                                                                                                                                • API String ID: 0-820258909
                                                                                                                                • Opcode ID: b97a5fbea998c26582eb7d1354911f23b61f41a072808d86457a7d4931104dd6
                                                                                                                                • Instruction ID: 7bfccf09b4f650d6dfdc05a38d726c91f6f96fa7c73994e30f76638ee4fd21e4
                                                                                                                                • Opcode Fuzzy Hash: b97a5fbea998c26582eb7d1354911f23b61f41a072808d86457a7d4931104dd6
                                                                                                                                • Instruction Fuzzy Hash: EFA13363A0C3D04AE311953C988435FAFC25BEA224F2D9B6EE0E5973C6D16DC9068367
                                                                                                                                Function 0041E04E Relevance: 14.6, APIs: 4, Strings: 4, Instructions: 560COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: LM$y~$}w$~y
                                                                                                                                • API String ID: 0-3879303600
                                                                                                                                • Opcode ID: bbc97acd0531e54897847cc745a51847c17704831f1903a473a7a610caf0729e
                                                                                                                                • Instruction ID: 8c83ea0bf7543ab56bd2cd0b71f7d7a08b0ec3716a63456ac40298acc96de63b
                                                                                                                                • Opcode Fuzzy Hash: bbc97acd0531e54897847cc745a51847c17704831f1903a473a7a610caf0729e
                                                                                                                                • Instruction Fuzzy Hash: 16228CB56083418FC324DF29D8516ABBBE1FFC9354F14892DE4D98B391DB389942CB86
                                                                                                                                Function 00430150 Relevance: 13.7, Strings: 10, Instructions: 1158COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: hzM$(}*($7*`{$8,11$:"@h$::18$=47"$AU"$KKPV$WDHZ
                                                                                                                                • API String ID: 0-1759995592
                                                                                                                                • Opcode ID: 07aa4c79e8bc3f8a2298fa79104ec141787d55c65b925320b16d2a05676bf836
                                                                                                                                • Instruction ID: 09096fa919a5567b7248768961b34532a4873ca7c454811cafd359f73341127e
                                                                                                                                • Opcode Fuzzy Hash: 07aa4c79e8bc3f8a2298fa79104ec141787d55c65b925320b16d2a05676bf836
                                                                                                                                • Instruction Fuzzy Hash: DF7227B4104B818EE7258F3584A17A3BBE1EF67304F185A9DC1EB4B387C779640ACB59
                                                                                                                                Function 0041EA04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 131COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • FindWindowExW.USER32(00000000,00000000,~y,00000000), ref: 0041E6F9
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FindWindow
                                                                                                                                • String ID: y~$}w$~y
                                                                                                                                • API String ID: 134000473-1989673006
                                                                                                                                • Opcode ID: 1a15ae024d7f99ccd19d4cdc6601f5c822f6a060500fa49f39cf289540dc2004
                                                                                                                                • Instruction ID: 8fa064fe989da162a09cfd024eb2c1d10865f3525310571a84e60e63bd872c59
                                                                                                                                • Opcode Fuzzy Hash: 1a15ae024d7f99ccd19d4cdc6601f5c822f6a060500fa49f39cf289540dc2004
                                                                                                                                • Instruction Fuzzy Hash: 9A519EB9608340DFD7249F29E85569EBBE1EFCA358F15883DE08997260DB34D841CF4A
                                                                                                                                Function 0040D920 Relevance: 11.6, Strings: 9, Instructions: 304COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: IFAJ$IWWL$N$ZCQ_$[OYl$iim"$vp~z${u$/\
                                                                                                                                • API String ID: 0-3221930232
                                                                                                                                • Opcode ID: 5ac3e90acf6cf4197e9e3973db78e77975f687b2e80a9dc7632e15ce6ff26def
                                                                                                                                • Instruction ID: 3cd8491b4c6e5ad3ac8144e79e129a0b9d9506a9260e081bfc8dd403f91890c4
                                                                                                                                • Opcode Fuzzy Hash: 5ac3e90acf6cf4197e9e3973db78e77975f687b2e80a9dc7632e15ce6ff26def
                                                                                                                                • Instruction Fuzzy Hash: 49A1D07150C3918FD321CF69945076BFBE0AF92340F0989ADE4D59B392C778C80ACB96
                                                                                                                                Function 0041F4FE Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 323threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • FindWindowExW.USER32(00000000,00000000,?,00000000), ref: 0041F5EA
                                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0041F671
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Window$FindProcessThread
                                                                                                                                • String ID: AJ$CH$G1$MC
                                                                                                                                • API String ID: 3928697162-238866447
                                                                                                                                • Opcode ID: c1cd8077a8b7c83b01cd7faf5c761782ea42803950c46ec9be2c776b6e49e203
                                                                                                                                • Instruction ID: 935b8ce65f4e069cb6350ff407b478ca02d57a530447f577a512087d005e0e56
                                                                                                                                • Opcode Fuzzy Hash: c1cd8077a8b7c83b01cd7faf5c761782ea42803950c46ec9be2c776b6e49e203
                                                                                                                                • Instruction Fuzzy Hash: 8FB1D175608340DFD724DF24D8827ABB7E1FF86314F08893DE199872A1E738994ACB56
                                                                                                                                Function 004234E0 Relevance: 9.5, Strings: 7, Instructions: 741COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: .CB$C@B$LBB$[+qe$[+qe$sFB$BB
                                                                                                                                • API String ID: 0-739636764
                                                                                                                                • Opcode ID: 5c9d5d9390ff0eb49d5f1a9f07ea6a798de6da6d2e9248a38c229d17e14686c5
                                                                                                                                • Instruction ID: 9a2725c4ff9d39b3699637fcab48f63eb0a8f422487124d8ee216ac70c3d1f72
                                                                                                                                • Opcode Fuzzy Hash: 5c9d5d9390ff0eb49d5f1a9f07ea6a798de6da6d2e9248a38c229d17e14686c5
                                                                                                                                • Instruction Fuzzy Hash: A2726EB0608B808ED3668F3C8845797BFE56B5A324F088A5DE0FE873D2C7796505C766
                                                                                                                                Function 00438370 Relevance: 9.2, APIs: 6, Instructions: 153clipboardCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1647500905-0
                                                                                                                                • Opcode ID: b1c58921e16ab82907a5d47e5604648a63aa052bc938c426cf1c1cbad9e4385e
                                                                                                                                • Instruction ID: 42a29a707641a5fe3486f9e7e90e326415fee62fee6dcec29d30508dd68f1816
                                                                                                                                • Opcode Fuzzy Hash: b1c58921e16ab82907a5d47e5604648a63aa052bc938c426cf1c1cbad9e4385e
                                                                                                                                • Instruction Fuzzy Hash: 225104B1908B528FD700AB78D84535EBFA0AB46314F05873EE8A897382D7799914C797
                                                                                                                                Function 004445F0 Relevance: 8.2, Strings: 6, Instructions: 719COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$032$4032$InA>$MJKH$| |:
                                                                                                                                • API String ID: 0-4251585510
                                                                                                                                • Opcode ID: 0428d189452967acc5740c7de1aff89c0245d2c285d34fc2b2b73b59c090fe8a
                                                                                                                                • Instruction ID: e8b507d4a16330488a19eed65e2c1487a21812151c0ba38de82894e2a7fcb06c
                                                                                                                                • Opcode Fuzzy Hash: 0428d189452967acc5740c7de1aff89c0245d2c285d34fc2b2b73b59c090fe8a
                                                                                                                                • Instruction Fuzzy Hash: 4B3204716083914FE315CF28D49035FB7E1ABC5314F19C92DE9EA9B391DB798806CB86
                                                                                                                                Function 0042DFB2 Relevance: 7.9, Strings: 6, Instructions: 414COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: V,V+$\#hb$]]EX$^$^#$^B$t#hb
                                                                                                                                • API String ID: 0-630468373
                                                                                                                                • Opcode ID: 025c52ecaba928678a0f8443ca149bc069b6e3f872b8f9566153fe071fb70bc8
                                                                                                                                • Instruction ID: 57b770c341d16f568a18a3c133062155c4b3b384361e28130a1793fe0ea7b188
                                                                                                                                • Opcode Fuzzy Hash: 025c52ecaba928678a0f8443ca149bc069b6e3f872b8f9566153fe071fb70bc8
                                                                                                                                • Instruction Fuzzy Hash: 3BD102B46083409FD7109F25E851A2BB7E2FF86308F54492EF59587392E779E806CB4A
                                                                                                                                Function 0040EE90 Relevance: 7.9, Strings: 6, Instructions: 397COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 9'gs$YyH$`yH$gb(+$n`of$zlbz
                                                                                                                                • API String ID: 0-4121521804
                                                                                                                                • Opcode ID: cca8f8bdc51d771d5cdffa8e875e75e70432fc4e86629bda27449da1dd385511
                                                                                                                                • Instruction ID: c1f188d87d3084bc4f56a2591b9d7166971c81f39adc602ea891df7a547574bb
                                                                                                                                • Opcode Fuzzy Hash: cca8f8bdc51d771d5cdffa8e875e75e70432fc4e86629bda27449da1dd385511
                                                                                                                                • Instruction Fuzzy Hash: C1C124B160C3908BC324CF69849036FBBD2ABC5714F59C97DE8D55B785D63A8C0E8B86
                                                                                                                                Function 0041D63C Relevance: 7.9, Strings: 6, Instructions: 384COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: &8&!$.0.)$/OK4$3 $D$n( T
                                                                                                                                • API String ID: 0-3512958490
                                                                                                                                • Opcode ID: 6c454ae20e7c1b4bbabf68382af3ff9fbd7cf2acddd908a95c5dac4e86348112
                                                                                                                                • Instruction ID: 76df69acd2d9e35b39554acb681b97fbbc27b625d5624549299d00e6d137f1fb
                                                                                                                                • Opcode Fuzzy Hash: 6c454ae20e7c1b4bbabf68382af3ff9fbd7cf2acddd908a95c5dac4e86348112
                                                                                                                                • Instruction Fuzzy Hash: 40C153B59083409FD724DF24D8827EBB7E1EF86304F18493EE5D987282D739A845CB96
                                                                                                                                Function 0042BD10 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 362COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 01$X\
                                                                                                                                • API String ID: 0-2664024336
                                                                                                                                • Opcode ID: 274db376034a86849f4495283a61506d05a9e5c33179f78781357797e1be10a3
                                                                                                                                • Instruction ID: 62973eb80c73ae1c01dd6e674774436ffe63ffcadf7f1bf946ec4ddfe746585e
                                                                                                                                • Opcode Fuzzy Hash: 274db376034a86849f4495283a61506d05a9e5c33179f78781357797e1be10a3
                                                                                                                                • Instruction Fuzzy Hash: 8BC1EFB6A1C3409FD3249F21D88165FBBE2FFC6308F44992DE4C59B251D778890ACB86
                                                                                                                                Function 00421030 Relevance: 7.1, Strings: 5, Instructions: 810COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: !{$E*ht$^*ht$S2Q_]$_]
                                                                                                                                • API String ID: 0-3286502999
                                                                                                                                • Opcode ID: beeb1c612a1fb47f2d920e0165158d2b9a9a9fb7679d6c9dfa39da07e1b83b2b
                                                                                                                                • Instruction ID: c9949d9a0da5f2e4d6d249a4f03a3bd16e745a56b7a89cc9ce3d38fe82c7cdc0
                                                                                                                                • Opcode Fuzzy Hash: beeb1c612a1fb47f2d920e0165158d2b9a9a9fb7679d6c9dfa39da07e1b83b2b
                                                                                                                                • Instruction Fuzzy Hash: CC3233B5E00214CFCB20CF64D8926ABBBB1FF55314F19856DD8856B3A2D738A902CBD5
                                                                                                                                Function 00401328 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
                                                                                                                                • API String ID: 0-3620105454
                                                                                                                                • Opcode ID: 1600b9b73e1175bdb8f038b483b4f66fc6b7b1b9cb751b2cc8175e02197529e6
                                                                                                                                • Instruction ID: 91f746329fa6188a5dbc8e2170b1b7322da1766379b05b56bd4c62466398d73b
                                                                                                                                • Opcode Fuzzy Hash: 1600b9b73e1175bdb8f038b483b4f66fc6b7b1b9cb751b2cc8175e02197529e6
                                                                                                                                • Instruction Fuzzy Hash: F2E1A07160C3918FC715CF29C48026AFBE1AFD9314F088A7EE8D997392D278D945CB96
                                                                                                                                Function 0042E10F Relevance: 6.5, Strings: 5, Instructions: 281COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: (E$G$@A$Q=@?$U9N;$|}
                                                                                                                                • API String ID: 0-552327553
                                                                                                                                • Opcode ID: 2ae662a00cfc873b0f0295d400148b6f5e759286203671d0185d80171123b5dd
                                                                                                                                • Instruction ID: c78291319c0a57a4da99ec457094a5d217ecdb6fd5219509090e7fc87b15f036
                                                                                                                                • Opcode Fuzzy Hash: 2ae662a00cfc873b0f0295d400148b6f5e759286203671d0185d80171123b5dd
                                                                                                                                • Instruction Fuzzy Hash: 2C810171608311CBD7049F16D85236BB7F1FF82365F09896DE8868B3A1E7389845CB9A
                                                                                                                                Function 004287A9 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "<:>$(_$0>?<$KVQA$OFH<
                                                                                                                                • API String ID: 0-2113312026
                                                                                                                                • Opcode ID: c9bb51d687cdd02adafee477690a4f16a2bb57e41c012a4b8aff86127128f03a
                                                                                                                                • Instruction ID: 941fb8ae9adabeb64745f3378f0ec6abec82f3f12a04c6f5502a3ca5f5bae24a
                                                                                                                                • Opcode Fuzzy Hash: c9bb51d687cdd02adafee477690a4f16a2bb57e41c012a4b8aff86127128f03a
                                                                                                                                • Instruction Fuzzy Hash: 3F513671B483618FD7348E2494913ABBBE2AF55340F884A3ECDC687381E23CA855D747
                                                                                                                                Function 00440A10 Relevance: 5.7, Strings: 4, Instructions: 708COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID: $'%!$InA>$InA>$f
                                                                                                                                • API String ID: 2994545307-1445933509
                                                                                                                                • Opcode ID: 27164890fba86e7fac6087ebea13425d9570a10549c15935ac4a6ce453b4337b
                                                                                                                                • Instruction ID: 73faf7e215e9bc0a2b2b1a5a7567b0054daa084ea624b50931e86eba0e78a371
                                                                                                                                • Opcode Fuzzy Hash: 27164890fba86e7fac6087ebea13425d9570a10549c15935ac4a6ce453b4337b
                                                                                                                                • Instruction Fuzzy Hash: 1F32D3726093419FD714CF19C88062BBBE2EFC8314F188A2EF59997391D778E845CB96
                                                                                                                                Function 0042D5EC Relevance: 5.4, Strings: 4, Instructions: 415COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: :WU$:WU$P_$P_
                                                                                                                                • API String ID: 0-4003749108
                                                                                                                                • Opcode ID: 6c70301db80bef2e1f981dec179ae87ae0c8a761cb45e6c1b858b4ac88bd9c2c
                                                                                                                                • Instruction ID: d701651b7d10b4f33d46f1fbffcd9181ea1c19d49c92bad2d3dd6d2b88591347
                                                                                                                                • Opcode Fuzzy Hash: 6c70301db80bef2e1f981dec179ae87ae0c8a761cb45e6c1b858b4ac88bd9c2c
                                                                                                                                • Instruction Fuzzy Hash: 1AD1FEB5A083609FE320CF11E881B2FB7A5FB85704F54492EF9896B391C7759806CB97
                                                                                                                                Function 00438560 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: MetricsSystem
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4116985748-3916222277
                                                                                                                                • Opcode ID: ccd0a22b71e5a9a46504b244f3d6b60ef8c095823fa79e6dc71ff5c60581322c
                                                                                                                                • Instruction ID: 408ac61d4f5c63decdd9dfa485c4bde40ce7b5732bdf6efd290b49fc6c5484dd
                                                                                                                                • Opcode Fuzzy Hash: ccd0a22b71e5a9a46504b244f3d6b60ef8c095823fa79e6dc71ff5c60581322c
                                                                                                                                • Instruction Fuzzy Hash: D4A14BB44183818FE370DF65D58979BBBF0BB89308F50892EE5988B351D7B894588F87
                                                                                                                                Function 00424A20 Relevance: 5.4, Strings: 4, Instructions: 405COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: kji$ijk$.y-{$1I.K
                                                                                                                                • API String ID: 0-3395142722
                                                                                                                                • Opcode ID: a46240760bae8ca1db3580102e26c91dd774c4895f19f79a0e8e4c40ee650677
                                                                                                                                • Instruction ID: 11c316db8ff005f455829cd2a24f26935f98377de9391a8fd86ba45ee71c0301
                                                                                                                                • Opcode Fuzzy Hash: a46240760bae8ca1db3580102e26c91dd774c4895f19f79a0e8e4c40ee650677
                                                                                                                                • Instruction Fuzzy Hash: 19C1CCB06083508BD324DF19E89176BB7F1FFD2350F558A1DE4958B790E7798801CB96
                                                                                                                                Function 0043CF50 Relevance: 5.3, Strings: 4, Instructions: 267COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$1$>$?
                                                                                                                                • API String ID: 0-3771279503
                                                                                                                                • Opcode ID: 32d39631a7f8bbe5c8c3ef3fe8fb0bce8194577a7724299be1329760f6ba4225
                                                                                                                                • Instruction ID: 1a515599f48da782ff4e9dd5c9326f08d90d15078a2965b7a9500146b7f44acf
                                                                                                                                • Opcode Fuzzy Hash: 32d39631a7f8bbe5c8c3ef3fe8fb0bce8194577a7724299be1329760f6ba4225
                                                                                                                                • Instruction Fuzzy Hash: CEA13871A0C3808BD7148A28E55136FBBE1ABDA318F19596FE4C2873C2D2BDC845C75B
                                                                                                                                Function 00431080 Relevance: 4.5, Strings: 3, Instructions: 735COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 2DLV$y/(D$y/(D
                                                                                                                                • API String ID: 0-749025926
                                                                                                                                • Opcode ID: f6ba46e4d9465292cdc3a4b29f4232a583899189eb568e3c557834897cd2a5c2
                                                                                                                                • Instruction ID: 93bf73bded15121f8a18279367ab4f78eaf4e84a1c6820fbb24711a282db377f
                                                                                                                                • Opcode Fuzzy Hash: f6ba46e4d9465292cdc3a4b29f4232a583899189eb568e3c557834897cd2a5c2
                                                                                                                                • Instruction Fuzzy Hash: 3C22C270504B818EE7258F35C4517A3BFE1AFA6308F18999DC1EA8B793D779A406CB24
                                                                                                                                Function 00445200 Relevance: 4.4, Strings: 3, Instructions: 629COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 2SD$A4:6$bXD
                                                                                                                                • API String ID: 0-2140995209
                                                                                                                                • Opcode ID: 6cae21e6fe175b21b15e54e54e59995ecd107e9b6b453f103d863bd8d64edee3
                                                                                                                                • Instruction ID: 11d4c822cf39b75c688cdf7c49f7de416892af4a1a09690a9cd2b8287affd853
                                                                                                                                • Opcode Fuzzy Hash: 6cae21e6fe175b21b15e54e54e59995ecd107e9b6b453f103d863bd8d64edee3
                                                                                                                                • Instruction Fuzzy Hash: DA120436A04311CFCB04CF68D8906AAB7E2BBC9315F1A857DD995A7362D734ED05CB84
                                                                                                                                Function 0042BEF1 Relevance: 4.3, Strings: 3, Instructions: 548COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4jt`$Tf$Yf
                                                                                                                                • API String ID: 0-1099603430
                                                                                                                                • Opcode ID: 71e57e20d68b458b0d830a9796cf536c805f468d3fdc145e6def885bad379f1e
                                                                                                                                • Instruction ID: 1dd103c3b59b4764da7bf18409810edf04ee5290017c2439f00cd1c0e7c8c6ab
                                                                                                                                • Opcode Fuzzy Hash: 71e57e20d68b458b0d830a9796cf536c805f468d3fdc145e6def885bad379f1e
                                                                                                                                • Instruction Fuzzy Hash: B5F143B2A08361CBC7048F65E89126FB7E2EFD6314F48496EE4C59B381D738D905CB96
                                                                                                                                Function 00410370 Relevance: 4.2, Strings: 3, Instructions: 461COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: C{$KH$wI
                                                                                                                                • API String ID: 0-157203947
                                                                                                                                • Opcode ID: bca7c62b493ab06c7c8ce0fdcdfc383c6b78a7a2d76a87ffb0a035524d40fbad
                                                                                                                                • Instruction ID: c63753b7beef783b0d393d03b54bf73bc687428a486ba5df504eac4547f19cbe
                                                                                                                                • Opcode Fuzzy Hash: bca7c62b493ab06c7c8ce0fdcdfc383c6b78a7a2d76a87ffb0a035524d40fbad
                                                                                                                                • Instruction Fuzzy Hash: 08F1DCB1901369DFDB208FA5DC90BAEBBB0FF06310F1485ADE499AB250D7749981CF94
                                                                                                                                Function 0043DFF4 Relevance: 4.2, Strings: 3, Instructions: 432COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 45$bC$~9R7
                                                                                                                                • API String ID: 0-561344009
                                                                                                                                • Opcode ID: 359fedeed843609d1d7e17937a218735573331aa8e9ee2c505160050a2126a39
                                                                                                                                • Instruction ID: 9c9523a48764f32873432823f2f3e1e446dbdd8030d4da7ab5e1f39baf6529ec
                                                                                                                                • Opcode Fuzzy Hash: 359fedeed843609d1d7e17937a218735573331aa8e9ee2c505160050a2126a39
                                                                                                                                • Instruction Fuzzy Hash: 5AD12339609311CBC3288F24E9A027BB3F1FF89352F1998BDD886472A1E375D855C74A
                                                                                                                                Function 0042EAC6 Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: WR$hpe($jisa
                                                                                                                                • API String ID: 0-900985185
                                                                                                                                • Opcode ID: 90497e0d2bd5e46fc323a3b30b364bf6cc1c384f2f40e2ef656f0a00367ac58e
                                                                                                                                • Instruction ID: 76b366ded39cbc7bab2fcec30adc3ab02235251e32ec61e6162a5c7437aae9dc
                                                                                                                                • Opcode Fuzzy Hash: 90497e0d2bd5e46fc323a3b30b364bf6cc1c384f2f40e2ef656f0a00367ac58e
                                                                                                                                • Instruction Fuzzy Hash: 39C1687160C350CFD7049F2AE89262BBBE2BF86310F498A3DF491473A2D7398945CB56
                                                                                                                                Function 004087B0 Relevance: 4.1, Strings: 3, Instructions: 394COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )$)$IEND
                                                                                                                                • API String ID: 0-588110143
                                                                                                                                • Opcode ID: 335c72d67481cae06a853780736b198312b62399bdbe8b0c4ea8ee73933a511d
                                                                                                                                • Instruction ID: e0a023ba6842bdf243cea2aaef61f1ef64000603d2e46d19818aa21c7c44a9ca
                                                                                                                                • Opcode Fuzzy Hash: 335c72d67481cae06a853780736b198312b62399bdbe8b0c4ea8ee73933a511d
                                                                                                                                • Instruction Fuzzy Hash: 2DE1CEB1A087019BE310DF29D88171BBBE0BB94314F14492EE594AB3C1DB79E915CBDA
                                                                                                                                Function 004324C0 Relevance: 4.1, Strings: 3, Instructions: 380COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: nlf$SIR8$cTRE
                                                                                                                                • API String ID: 0-4247039821
                                                                                                                                • Opcode ID: dbc3ef6d04ec2aeff451b5daa6cea7329f4c473a50f6725ed90af3322fa40a34
                                                                                                                                • Instruction ID: 5c41f9f10e9710ad44f36eb0adc576da28e28d931ccf3c23cd9d44f4b4f0ebd4
                                                                                                                                • Opcode Fuzzy Hash: dbc3ef6d04ec2aeff451b5daa6cea7329f4c473a50f6725ed90af3322fa40a34
                                                                                                                                • Instruction Fuzzy Hash: D8C19470504B828FE7258F3585617B3BFE1AF56308F18596EC0EB4B393D779640A8B14
                                                                                                                                Function 0042DB00 Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: @C$E3W5$E7DI
                                                                                                                                • API String ID: 0-1301438401
                                                                                                                                • Opcode ID: e6457749c9d90355d78f7d1a6f70fa1091b90ac086a4efb70956956a4ebb043e
                                                                                                                                • Instruction ID: 948636ce7c043e56beef18ed0fbb0b4e02903dcda245ef53bb284bee92987709
                                                                                                                                • Opcode Fuzzy Hash: e6457749c9d90355d78f7d1a6f70fa1091b90ac086a4efb70956956a4ebb043e
                                                                                                                                • Instruction Fuzzy Hash: EF81E2766083A08BD325DF24985076FBBE2FBC5314F16892DE5E65B380DBB498058BC3
                                                                                                                                Function 00445350 Relevance: 3.1, Strings: 2, Instructions: 555COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: A4:6$bXD
                                                                                                                                • API String ID: 0-812220484
                                                                                                                                • Opcode ID: be8a1e93beec42206226db99fb8f96fb83020c23fbf87102a359b8d0875b6f0d
                                                                                                                                • Instruction ID: c557dd710786daff9e12824a9640c8947cf44a96ece5e9095d9025a76061340c
                                                                                                                                • Opcode Fuzzy Hash: be8a1e93beec42206226db99fb8f96fb83020c23fbf87102a359b8d0875b6f0d
                                                                                                                                • Instruction Fuzzy Hash: 51020436A08211CFCB08CF28D8906AAB7E2BBCA315F1A857DD895D7362D734DD05CB94
                                                                                                                                Function 00445420 Relevance: 3.0, Strings: 2, Instructions: 544COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: A4:6$bXD
                                                                                                                                • API String ID: 0-812220484
                                                                                                                                • Opcode ID: 885e1cebc6a277f525b23b0771877defd6b066f0e9a4d59308c87310aa19a558
                                                                                                                                • Instruction ID: a77dce7f56afa4b04c325f6832fbe7cbb1a71508e3021f420b8737b78c66d03c
                                                                                                                                • Opcode Fuzzy Hash: 885e1cebc6a277f525b23b0771877defd6b066f0e9a4d59308c87310aa19a558
                                                                                                                                • Instruction Fuzzy Hash: 32F11636A086518FCB08CF28D8906AEB7F2ABCE315F1A457ED895E7352D634DD01CB94
                                                                                                                                Function 0042FA50 Relevance: 3.0, Strings: 2, Instructions: 524COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "$"
                                                                                                                                • API String ID: 0-3758156766
                                                                                                                                • Opcode ID: 8b3f5a14e5a846375b48d12dd0cb3f800892d937d86425dcb62931da4092cba7
                                                                                                                                • Instruction ID: 4476169514b12b7e7f4c8638c1127e423d9bfaa8419bd3522fce36db7ceee1d1
                                                                                                                                • Opcode Fuzzy Hash: 8b3f5a14e5a846375b48d12dd0cb3f800892d937d86425dcb62931da4092cba7
                                                                                                                                • Instruction Fuzzy Hash: D9021472B083219FD714CE25E49076BB7F6AB85314F898A3FE89587381D778DD088786
                                                                                                                                Function 00422DC0 Relevance: 3.0, Strings: 2, Instructions: 516COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "T'T$M1
                                                                                                                                • API String ID: 0-1318193541
                                                                                                                                • Opcode ID: 6338306c128710af588fe0e89f565ab7b7572973542bd13b4a6be02bdca2de2e
                                                                                                                                • Instruction ID: ed5fa16e6852106af2464ceb011c2266fb2fff31d05e78d0fffdbcfbdabed588
                                                                                                                                • Opcode Fuzzy Hash: 6338306c128710af588fe0e89f565ab7b7572973542bd13b4a6be02bdca2de2e
                                                                                                                                • Instruction Fuzzy Hash: 56F13272608310ABD300DF25EC42AAFBBE4EFC1314F05482EF8C19B392D638991597A7
                                                                                                                                Function 00421950 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: |}$S2Q_]
                                                                                                                                • API String ID: 0-2747831751
                                                                                                                                • Opcode ID: 3bb6ff299abaab30bda7f6852d66e74b928a81babe280c0c728efcad9aab0744
                                                                                                                                • Instruction ID: ac12280f9b662e673f487a6b4eb8f42720d211e0c0ebde193e98319435743045
                                                                                                                                • Opcode Fuzzy Hash: 3bb6ff299abaab30bda7f6852d66e74b928a81babe280c0c728efcad9aab0744
                                                                                                                                • Instruction Fuzzy Hash: CFB145B5A083218BC714DF18C89226BB7F1FF91354F588A1DE8D59B3A0E738D905CB96
                                                                                                                                Function 004038E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Inf$NaN
                                                                                                                                • API String ID: 0-3500518849
                                                                                                                                • Opcode ID: bf1ae86c578e8204530d5ba78fb4d53c8c8cc03c9d892df3de94ca516da96891
                                                                                                                                • Instruction ID: e3bdea5c2a4706d59b20d4a8c1d50ca0f925814802cbef3ae0f51bad0ba2e7bb
                                                                                                                                • Opcode Fuzzy Hash: bf1ae86c578e8204530d5ba78fb4d53c8c8cc03c9d892df3de94ca516da96891
                                                                                                                                • Instruction Fuzzy Hash: 71D1D372A083119BC704CF28C88061BBBE5EFC4750F158A3EE899A73D1E774DD458B86
                                                                                                                                Function 00443D80 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID: MJKH$MJKH
                                                                                                                                • API String ID: 2994545307-2671171847
                                                                                                                                • Opcode ID: fbdd01f1e1e0d77b282fd944822f1a42216d9ce0b7b8ff1097f6b71d5947bb9f
                                                                                                                                • Instruction ID: 5ae563ed604da59933f0f64cf7ea7f2bd63e45b76cbe457e6d8205ee637e0c28
                                                                                                                                • Opcode Fuzzy Hash: fbdd01f1e1e0d77b282fd944822f1a42216d9ce0b7b8ff1097f6b71d5947bb9f
                                                                                                                                • Instruction Fuzzy Hash: BF9104B1A09341AFF724DF24C841B7BB3E1EB85715F64882EF58587382E734E9148B5A
                                                                                                                                Function 00431C49 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: SIR8$cTRE
                                                                                                                                • API String ID: 0-1060835337
                                                                                                                                • Opcode ID: ecb6408f2cbda8ea49ef1e50db62e73776f88d74765f03173d967f7e5ef5402e
                                                                                                                                • Instruction ID: b0ab21e2cca83c1d2a440cda4bde423814718bd2d9c45b6cdb83b84933863b3f
                                                                                                                                • Opcode Fuzzy Hash: ecb6408f2cbda8ea49ef1e50db62e73776f88d74765f03173d967f7e5ef5402e
                                                                                                                                • Instruction Fuzzy Hash: DC91A370504B818FE72A8F3581617A3FBE1AF56308F18596EC0EB97343D779A40ACB54
                                                                                                                                Function 00428480 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: P_$CA
                                                                                                                                • API String ID: 0-2707358116
                                                                                                                                • Opcode ID: 1238a5a30a8c4caa083d7f8ca0101aecf10458e43971ab8868b5495b46e00ece
                                                                                                                                • Instruction ID: 419a31cf97763863812aaf18cc81c7623c34b9d56e38cc3c6b3874f41de0fd08
                                                                                                                                • Opcode Fuzzy Hash: 1238a5a30a8c4caa083d7f8ca0101aecf10458e43971ab8868b5495b46e00ece
                                                                                                                                • Instruction Fuzzy Hash: 4A41FFB1A09350ABD310CF15D84171FBAA6FBC2714F55C92CF8A86B285EB758906CB87
                                                                                                                                Function 00432490 Relevance: 2.6, Strings: 2, Instructions: 120COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: r&C$~,C
                                                                                                                                • API String ID: 0-2414271609
                                                                                                                                • Opcode ID: be27332b3e903740f9d417f84b692730f1c0a9da0d489a58b02a23547bd50a26
                                                                                                                                • Instruction ID: b396d754127ba242785f4fda21e8a488869e66747b7fbb0ec97aa8a08987ecee
                                                                                                                                • Opcode Fuzzy Hash: be27332b3e903740f9d417f84b692730f1c0a9da0d489a58b02a23547bd50a26
                                                                                                                                • Instruction Fuzzy Hash: 3B31B139218642CBF75C8E38CAA677B3690DF09324F24C93E9157C36E0CE7EC9458A14
                                                                                                                                Function 00427C8A Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ?{B$bq
                                                                                                                                • API String ID: 0-1180995456
                                                                                                                                • Opcode ID: 568d50dbdbe171ad527b722c8f10f8b1acceadaa58bed37b98812ca4e7ef814d
                                                                                                                                • Instruction ID: 65cda57e41fdf4546b8e1c4ccdbbd3d90eb800a71279c99a560d83a9a90d7d91
                                                                                                                                • Opcode Fuzzy Hash: 568d50dbdbe171ad527b722c8f10f8b1acceadaa58bed37b98812ca4e7ef814d
                                                                                                                                • Instruction Fuzzy Hash: 82310EB86083409FD764CF22C485AA93F72FB9A318B68859CE0855F602C7768443CF85
                                                                                                                                Function 00405450 Relevance: 1.8, Strings: 1, Instructions: 553COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: %1.17g
                                                                                                                                • API String ID: 0-1551345525
                                                                                                                                • Opcode ID: 4958b68b4abdcbef37e8c63496f9603c099a9c4d592ce34567467f112fe2be4d
                                                                                                                                • Instruction ID: 3b12911e4b7e2c9862a41f465c3b175af3bb7d1728aa4b8ea52e6a75e00cba16
                                                                                                                                • Opcode Fuzzy Hash: 4958b68b4abdcbef37e8c63496f9603c099a9c4d592ce34567467f112fe2be4d
                                                                                                                                • Instruction Fuzzy Hash: 3E12E3B1A08B418BE7158E599480327BBE2EFA1314F19C57ED889AB3C1E779DC05CF46
                                                                                                                                Function 0042AED0 Relevance: 1.7, Strings: 1, Instructions: 498COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: qt
                                                                                                                                • API String ID: 0-1670719628
                                                                                                                                • Opcode ID: 2aaa27df0e2d50640f60f1b8e6183033bdc9d62f1fffba5728e7187cb037bcab
                                                                                                                                • Instruction ID: f17aaa0b86326b65abb41e7b1b340d6a9cb93af7fc7eaa844b36f823cc1c4d59
                                                                                                                                • Opcode Fuzzy Hash: 2aaa27df0e2d50640f60f1b8e6183033bdc9d62f1fffba5728e7187cb037bcab
                                                                                                                                • Instruction Fuzzy Hash: CEF110B4608350DFE724EF25E881A2BB7E1FF86304F44892EE5855B352DB74D805CB9A
                                                                                                                                Function 00426800 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CoCreateInstance.OLE32(004499D8,00000000,00000001,004499C8), ref: 00426829
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateInstance
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 542301482-0
                                                                                                                                • Opcode ID: ae7c93915fa95cb82f3b7294a53bec6182d15dbb356966dfa8c641af642d9a5a
                                                                                                                                • Instruction ID: 24e79b928680445ce27b8a3544bf7846d76a9c9f88b5198a53eb8a4f63fa0014
                                                                                                                                • Opcode Fuzzy Hash: ae7c93915fa95cb82f3b7294a53bec6182d15dbb356966dfa8c641af642d9a5a
                                                                                                                                • Instruction Fuzzy Hash: 3751F0B0700220ABDB20AB24EC92B7773B4EF81358F494519F985CB391E779EC41C76A
                                                                                                                                Function 00434D1D Relevance: 1.7, APIs: 1, Instructions: 183memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocString
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2525500382-0
                                                                                                                                • Opcode ID: 7fd20a579ea73c60a6280236d43ae63f949e7b60f797acb06a429b5e61f4b27e
                                                                                                                                • Instruction ID: 52809de13cd0a1a38283b2dbb77d3f621195661b64692015bc0b5373c378679f
                                                                                                                                • Opcode Fuzzy Hash: 7fd20a579ea73c60a6280236d43ae63f949e7b60f797acb06a429b5e61f4b27e
                                                                                                                                • Instruction Fuzzy Hash: B0A1F82151CFC1CAD336863C88583D7AED11B67325F480B9DD1FE4A3E2D7A96106C766
                                                                                                                                Function 0042A39D Relevance: 1.7, Strings: 1, Instructions: 416COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: PQ
                                                                                                                                • API String ID: 0-3876466377
                                                                                                                                • Opcode ID: 71a91a3be48a19155d4bded7757ab1b66e7e7037330cbb0f818b414c5ef0105a
                                                                                                                                • Instruction ID: b070b13148877ac0b9ec4b86a44beec9476e8f35f9b5aac449548ff5bb479c58
                                                                                                                                • Opcode Fuzzy Hash: 71a91a3be48a19155d4bded7757ab1b66e7e7037330cbb0f818b414c5ef0105a
                                                                                                                                • Instruction Fuzzy Hash: AEC13375608312CBC324CF24D8806ABF7E1FF95744F598D2DE8C587260E7789955CB8A
                                                                                                                                Function 0040CE30 Relevance: 1.6, Strings: 1, Instructions: 399COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -
                                                                                                                                • API String ID: 0-2547889144
                                                                                                                                • Opcode ID: 5e7079cf28da42efe8901ac0426dff04d4488b3e3c82b0b0fbb4bd13ceec653c
                                                                                                                                • Instruction ID: 5507a489e66f0186a7899ca2d067c5e1e299c4d7b9079eeb8fb9d165490ca065
                                                                                                                                • Opcode Fuzzy Hash: 5e7079cf28da42efe8901ac0426dff04d4488b3e3c82b0b0fbb4bd13ceec653c
                                                                                                                                • Instruction Fuzzy Hash: 25D10C71A083454BC7189E69D8D026BBBE3AFC1324F18873EE4E5573D5D73C990A8B86
                                                                                                                                Function 0043D2E0 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 3037aa8af7f4253e79c1982fe6ff3488989d181d5caee9e140916971b841a0fd
                                                                                                                                • Instruction ID: 34ac70621be19dde34e123764c5197504bef41733df621d27a1fb17218b9c424
                                                                                                                                • Opcode Fuzzy Hash: 3037aa8af7f4253e79c1982fe6ff3488989d181d5caee9e140916971b841a0fd
                                                                                                                                • Instruction Fuzzy Hash: F93157B0510F008BE334CF21D869B53BBF0FF45718F404A2DD5D20AA91D3BAB4098BA6
                                                                                                                                Function 0043D466 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocString
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2525500382-0
                                                                                                                                • Opcode ID: 7819db4cce8e9b1cce8bb710776f3484b988ed220f07b5a2926d41beb4e1beda
                                                                                                                                • Instruction ID: 4b478d9f06ebff4e72fe29629d2113fbec3f5f24fda3be2d3117f0841a6311a3
                                                                                                                                • Opcode Fuzzy Hash: 7819db4cce8e9b1cce8bb710776f3484b988ed220f07b5a2926d41beb4e1beda
                                                                                                                                • Instruction Fuzzy Hash: 100145716457505FD3024B34CC842A27BA1EB5B325B5899ACD8C2CB596C2B99413CB64
                                                                                                                                Function 00441550 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID: InA>
                                                                                                                                • API String ID: 2994545307-2903657838
                                                                                                                                • Opcode ID: 6f17bb55ea54f55656048a47ee8566c7501dab7c549d0ed10ccaedf545481bcd
                                                                                                                                • Instruction ID: 40559cc837a8f44ef15ae3b3825c0f6fef15ca8747d320847322dee6b4caa89b
                                                                                                                                • Opcode Fuzzy Hash: 6f17bb55ea54f55656048a47ee8566c7501dab7c549d0ed10ccaedf545481bcd
                                                                                                                                • Instruction Fuzzy Hash: 26810476B083104FE724CE68CC8076BB7E2ABC5310F19852EE9955B3A5D778DC858B89
                                                                                                                                Function 0040A9C0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ,
                                                                                                                                • API String ID: 0-3772416878
                                                                                                                                • Opcode ID: a629dd6e25875513fcdcc36ab24cb8f890d51b3c8ca8ce973876346eda5cdae7
                                                                                                                                • Instruction ID: 289e211150430dffdcb9819fd40634ef5ee1c0e3b6bece96424cf16519f2c9c5
                                                                                                                                • Opcode Fuzzy Hash: a629dd6e25875513fcdcc36ab24cb8f890d51b3c8ca8ce973876346eda5cdae7
                                                                                                                                • Instruction Fuzzy Hash: D3B138712083819FD321CF28C98061BFBE1AFA9704F444E2EE5D997782D635E918CB67
                                                                                                                                Function 004116D4 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: D
                                                                                                                                • API String ID: 0-2746444292
                                                                                                                                • Opcode ID: 92713fe33efc2325317d81bb29e247b630592c962ca13e40b324ea5e1c874dca
                                                                                                                                • Instruction ID: e98f359d144373e0e7d21a8d7b31f09dae4235e3e6a97bc6ca45bd591f61577b
                                                                                                                                • Opcode Fuzzy Hash: 92713fe33efc2325317d81bb29e247b630592c962ca13e40b324ea5e1c874dca
                                                                                                                                • Instruction Fuzzy Hash: 41A1DAB05093809BE324DF11D8617ABBBE1FF81748F54891DE1C92B291D7B98845CF8A
                                                                                                                                Function 0043DA20 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: S2Q_]
                                                                                                                                • API String ID: 0-2661617954
                                                                                                                                • Opcode ID: c798ef788c3186b9c3c27ada4f681d5c2da76517a19e51989e98c302bc57f1f6
                                                                                                                                • Instruction ID: 66ee62b778b284a77cc244715fd6825c21b9e9d2cc531d5de89415f217deca10
                                                                                                                                • Opcode Fuzzy Hash: c798ef788c3186b9c3c27ada4f681d5c2da76517a19e51989e98c302bc57f1f6
                                                                                                                                • Instruction Fuzzy Hash: F4712274E042059FDB148FA8E895BBFB7B1FB48304F10542EE506A7392D779E815CB98
                                                                                                                                Function 00438120 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 004382AA
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                                                                                                • API String ID: 0-2471034898
                                                                                                                                • Opcode ID: 9dfcde9a713137e56d9d9e73bf827ad091faf5dd376b8208c0533ed5b463ba63
                                                                                                                                • Instruction ID: b237679488f3b08c495c6c2f53ddb537ec1828e0c8e905fe9efbca9f63afc00e
                                                                                                                                • Opcode Fuzzy Hash: 9dfcde9a713137e56d9d9e73bf827ad091faf5dd376b8208c0533ed5b463ba63
                                                                                                                                • Instruction Fuzzy Hash: CA51303670968187DB148A3C5C511ABBB935B9B334F3C976FF9F2873D1DA298806434A
                                                                                                                                Function 00422A90 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00422C9A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                                                                                • API String ID: 0-442858466
                                                                                                                                • Opcode ID: 94703c53c0f171fe569379c70358d3c668bc0a9671b10a049f517456983d8b28
                                                                                                                                • Instruction ID: 30d64c31d85b20846a8be7dc930705967e040955aeceff31e3ead08498bacdae
                                                                                                                                • Opcode Fuzzy Hash: 94703c53c0f171fe569379c70358d3c668bc0a9671b10a049f517456983d8b28
                                                                                                                                • Instruction Fuzzy Hash: F3516C267099A05BD3248E3CAD513AA7A434FD3330F6CC77AE5B24B3E1D5DD48069306
                                                                                                                                Function 00446020 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: @
                                                                                                                                • API String ID: 0-2766056989
                                                                                                                                • Opcode ID: 866fa442eac7b4f7792ff7100bb444b34f77807852fd0e09a0e8c09a5ecb120a
                                                                                                                                • Instruction ID: c070a8a44611a73b417ec6db818e262e134a177e6a9ec1f852fc67e82cc92d24
                                                                                                                                • Opcode Fuzzy Hash: 866fa442eac7b4f7792ff7100bb444b34f77807852fd0e09a0e8c09a5ecb120a
                                                                                                                                • Instruction Fuzzy Hash: 87513A719043108FE714CF28CC8166BB7E1EF85324F15862EE9999B3A1E779DD08CB96
                                                                                                                                Function 004278B9 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: BzB
                                                                                                                                • API String ID: 0-3244110204
                                                                                                                                • Opcode ID: 03e08ea474ed3794cd5ab0950577484f39c495b86ef6b91cae2dc6da0cb9a4a4
                                                                                                                                • Instruction ID: ab2d66007e9231599658796827a4c600b02d5316afc85124f53fafb6c2574aa7
                                                                                                                                • Opcode Fuzzy Hash: 03e08ea474ed3794cd5ab0950577484f39c495b86ef6b91cae2dc6da0cb9a4a4
                                                                                                                                • Instruction Fuzzy Hash: 7F510475E05612CBDB18CF29DCA06AAB3B2FB8A315F6980BDD406AB794D7309D01CF54
                                                                                                                                Function 004166F9 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: +
                                                                                                                                • API String ID: 0-2126386893
                                                                                                                                • Opcode ID: 337413a90c286d74c7d4c31062a21b0bc78d60bc7880335118862f3a84f98447
                                                                                                                                • Instruction ID: 766dd656c9aef2bf92d563dbc3ff72e57c96b9d5035df39004fa03315bc2d902
                                                                                                                                • Opcode Fuzzy Hash: 337413a90c286d74c7d4c31062a21b0bc78d60bc7880335118862f3a84f98447
                                                                                                                                • Instruction Fuzzy Hash: 9551F4B56097408FD329CB38C5653E7BBE1AB55304F09886EC5AB87382C779E485CB52
                                                                                                                                Function 004431FF Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 0mrs
                                                                                                                                • API String ID: 0-1164264508
                                                                                                                                • Opcode ID: 01c9064caf8dfe845d11d99a2d7c59921dfac82ca61804563505c53f0aa3b4ea
                                                                                                                                • Instruction ID: 3eebe4c5957fbaf27f9ed2d9903cedf0e0b7a28010717bb26d792b360ae4da9c
                                                                                                                                • Opcode Fuzzy Hash: 01c9064caf8dfe845d11d99a2d7c59921dfac82ca61804563505c53f0aa3b4ea
                                                                                                                                • Instruction Fuzzy Hash: AD1126315082518BC308CF14C46277BBBB1AFD6748F24596ED4D2A7391DB788505CB4A
                                                                                                                                Function 00427B77 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: h{B
                                                                                                                                • API String ID: 0-3986473739
                                                                                                                                • Opcode ID: 627d62b39f4d9acb375451a6f6f7d42c5544e26cefa4e5f4c785df0859b57cb5
                                                                                                                                • Instruction ID: 8c089fcb2fdbc2458981861f287705d22f5bf8de8e10461fb943f60158e14769
                                                                                                                                • Opcode Fuzzy Hash: 627d62b39f4d9acb375451a6f6f7d42c5544e26cefa4e5f4c785df0859b57cb5
                                                                                                                                • Instruction Fuzzy Hash: 6D2178B8A05310CFD354CFA6D584A59BBB0FF59310B5691D9D4046F366E779C802CF86
                                                                                                                                Function 0042F0A0 Relevance: 1.3, Strings: 1, Instructions: 8COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: <B
                                                                                                                                • API String ID: 0-726973072
                                                                                                                                • Opcode ID: 4528ab1d1da5441dcdea12c1e1786d53cdfc1870d181a8ff961c620cf030c730
                                                                                                                                • Instruction ID: 6d37382fac798be85e2f173504049a9d157048ff87321ddb087813306d037c38
                                                                                                                                • Opcode Fuzzy Hash: 4528ab1d1da5441dcdea12c1e1786d53cdfc1870d181a8ff961c620cf030c730
                                                                                                                                • Instruction Fuzzy Hash: E7B012B4C08200C7D5002F01BC03035F1347B07305F0034349005321239131E4148A4E
                                                                                                                                Function 0040C000 Relevance: .8, Instructions: 810COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: d9dd1cc2c9724957d29e44ad9a42bfef3acf40a5137b08b857aeb1d8de2f2cc7
                                                                                                                                • Instruction ID: 02682122fe215c6071f285fca95103c933b17263e56a0dfe3beaa435343e60af
                                                                                                                                • Opcode Fuzzy Hash: d9dd1cc2c9724957d29e44ad9a42bfef3acf40a5137b08b857aeb1d8de2f2cc7
                                                                                                                                • Instruction Fuzzy Hash: 7752BF32518711CBC725DF18D48026BB3E2FFD4314F258A3ED9D6A7285E739A851CB8A
                                                                                                                                Function 004221C0 Relevance: .7, Instructions: 686COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ba19472e76792437bdd4c74d355a2bbb8d5b41cc68323e10916d2f05e01f2030
                                                                                                                                • Instruction ID: 7ed2dbe21109470e49fdddc6be5fa01611824c619444a507dd5f3c0515fd705b
                                                                                                                                • Opcode Fuzzy Hash: ba19472e76792437bdd4c74d355a2bbb8d5b41cc68323e10916d2f05e01f2030
                                                                                                                                • Instruction Fuzzy Hash: C13201B1708310ABE720DF11EA41B6BB7E2FBC5304F54892EE9849B391D778D805CB5A
                                                                                                                                Function 0040B4F0 Relevance: .7, Instructions: 670COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ee56c21f94755b019df30f5b4f82a9e0a5af40586758b6e0cc08bb712d67dfe5
                                                                                                                                • Instruction ID: fca6fef6d7c72a8c719bab9b26de2e440cc4016141a76680356fcb156e4a4cbf
                                                                                                                                • Opcode Fuzzy Hash: ee56c21f94755b019df30f5b4f82a9e0a5af40586758b6e0cc08bb712d67dfe5
                                                                                                                                • Instruction Fuzzy Hash: 61529EB0908B888EE7358B24C4847A7BBE1EB91314F14487EC5E657BC2D37DA885C79D
                                                                                                                                Function 004073E0 Relevance: .7, Instructions: 657COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: d6f1f0a554b5f4ea1dff79201fa12c76aa8ddbc04dcc0ebd949a31b7ea78ddaf
                                                                                                                                • Instruction ID: 7136ed3ccb547f0344c5f63eb2a72c6255d9bd3de1dd3d1752cdf03fa2eaf8a9
                                                                                                                                • Opcode Fuzzy Hash: d6f1f0a554b5f4ea1dff79201fa12c76aa8ddbc04dcc0ebd949a31b7ea78ddaf
                                                                                                                                • Instruction Fuzzy Hash: 0B52D67190C3458FDB15CF18C0806AABBE1BF85314F188A7EE8D967392D778E945CB86
                                                                                                                                Function 00407DE0 Relevance: .6, Instructions: 616COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 8241882f996910b1088597801476f6fbaae8d27d30de39724c77fd81cd3b86bc
                                                                                                                                • Instruction ID: 6ac887c7ce7c814f3e249ffd09faed373fed6c86221084827e4f3925f8cf0cd9
                                                                                                                                • Opcode Fuzzy Hash: 8241882f996910b1088597801476f6fbaae8d27d30de39724c77fd81cd3b86bc
                                                                                                                                • Instruction Fuzzy Hash: EA421470915B118FC328CF29C69052ABBF1BF85710B644A2ED6D797B90DB3AF845CB18
                                                                                                                                Function 0041D090 Relevance: .5, Instructions: 460COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: be937af9608f355544b1a785769380c913888ed9024de6620004d214b29c65f4
                                                                                                                                • Instruction ID: 5fba3967c5be13676576c4bfc9c67a371dfa911b0b35cc635cae992ad44171c5
                                                                                                                                • Opcode Fuzzy Hash: be937af9608f355544b1a785769380c913888ed9024de6620004d214b29c65f4
                                                                                                                                • Instruction Fuzzy Hash: 52D126B59083408BD7349F24D8927EB77F1EF86314F04462DE9898B391E7789941CBAB
                                                                                                                                Function 0040A450 Relevance: .5, Instructions: 451COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ee4f907dc66f90ada65356227de4accc4fcb268735b67025017e6f093c4462cb
                                                                                                                                • Instruction ID: 15b9f8b272a4cb5e65813eccbee1724432a8696a39f88fc8749565ced714b9ed
                                                                                                                                • Opcode Fuzzy Hash: ee4f907dc66f90ada65356227de4accc4fcb268735b67025017e6f093c4462cb
                                                                                                                                • Instruction Fuzzy Hash: A7F1B2716083418FC714DF28C480A2BFBE1FF99304F098A6EE9985B392D279D955CB97
                                                                                                                                Function 00426A60 Relevance: .4, Instructions: 428COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: fbcaf06425e298964a7308fc73586c547fbe9d5c86ecc9cd1902dc6dce561885
                                                                                                                                • Instruction ID: 747f2e0b8c54a09e831a33d82095739b2f8fe2619cdecba23a86b32be184b786
                                                                                                                                • Opcode Fuzzy Hash: fbcaf06425e298964a7308fc73586c547fbe9d5c86ecc9cd1902dc6dce561885
                                                                                                                                • Instruction Fuzzy Hash: 4CA14971B142608BD710AB24EC5267BB3E1EF92314F9A452EE8C597381E33CED05C79A
                                                                                                                                Function 0042B870 Relevance: .4, Instructions: 420COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: aed46032172ba226f2b48e7163239de53d5c4307a282ab303f7f38cd7c7f9a52
                                                                                                                                • Instruction ID: 1cc968c4f3e31a164f5d24dd7d85910aa4ce0ed2985b0ed2bdfab3c31ff2b481
                                                                                                                                • Opcode Fuzzy Hash: aed46032172ba226f2b48e7163239de53d5c4307a282ab303f7f38cd7c7f9a52
                                                                                                                                • Instruction Fuzzy Hash: 1FC1BD71B083208BD714CB25E85267BB7D1EF86314F98852EE4869B391D779EC06C7CA
                                                                                                                                Function 00427F02 Relevance: .4, Instructions: 387COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 139437691f225f2957a855e7b8e849074f03e9b450db14e2588c4f259df562e8
                                                                                                                                • Instruction ID: 1e7fa7a467679b0b57a8f921390a3d944b0f1ab35f8635b0e4e8594652472d91
                                                                                                                                • Opcode Fuzzy Hash: 139437691f225f2957a855e7b8e849074f03e9b450db14e2588c4f259df562e8
                                                                                                                                • Instruction Fuzzy Hash: B8B103B1A002208BDB14DF69DC52BAF7BB1EF55324F1A429DE8516F395DB388801CBE5
                                                                                                                                Function 00446FC0 Relevance: .4, Instructions: 375COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 6a2ddab27b7a4579794aaf89233ea1abe21452ab2858e257de0af69c170552e6
                                                                                                                                • Instruction ID: 124e1ce209a9d79c83a092404dd6fd6c591bd30df26a373d80fc27ea5a55d2d4
                                                                                                                                • Opcode Fuzzy Hash: 6a2ddab27b7a4579794aaf89233ea1abe21452ab2858e257de0af69c170552e6
                                                                                                                                • Instruction Fuzzy Hash: E2C12372A093118FD7288E28C88166BB7E2FBC9710F09853EEA915B355E778EC05C795
                                                                                                                                Function 004436D8 Relevance: .4, Instructions: 368COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 0ff6e5ada89f543fa807134c699a5a6f337f2a7d51667af2e233a9611df54acd
                                                                                                                                • Instruction ID: 7e32187f567617c7486bbed9ee62277d07befbc9892c85208c0dab01a8a93ff6
                                                                                                                                • Opcode Fuzzy Hash: 0ff6e5ada89f543fa807134c699a5a6f337f2a7d51667af2e233a9611df54acd
                                                                                                                                • Instruction Fuzzy Hash: 6BD1F776608354CFC724CF38E89112AB7E2AF99316F19897ED895C3392D774E900CB85
                                                                                                                                Function 0043BCB7 Relevance: .4, Instructions: 367COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5d08f89e5c68fbc098d375457ba4e5f1b6ebceff05588bae461bd528b705a9e2
                                                                                                                                • Instruction ID: 8b382c6250a9f113906c7d2715ecc44ef7a213c11758325ee70e759d75de341d
                                                                                                                                • Opcode Fuzzy Hash: 5d08f89e5c68fbc098d375457ba4e5f1b6ebceff05588bae461bd528b705a9e2
                                                                                                                                • Instruction Fuzzy Hash: 48125C20508FD3DED326C63C8848749BF917B27224F088399D1F55BBE2C369A566C7E6
                                                                                                                                Function 0041EF92 Relevance: .4, Instructions: 364COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: dfa746c6d881dfc059dc902a3a182e914ffa69ef37af86a38b17d75d9bb6bfc9
                                                                                                                                • Instruction ID: bcd0de0dbde75e7fc2ef1d167a929022b9ad870a6f864199943441023e39a78e
                                                                                                                                • Opcode Fuzzy Hash: dfa746c6d881dfc059dc902a3a182e914ffa69ef37af86a38b17d75d9bb6bfc9
                                                                                                                                • Instruction Fuzzy Hash: BBB105B46083409FD718CF24D981ABBB7A2FB86314F54493EE49297392D774CC4ACB5A
                                                                                                                                Function 00444100 Relevance: .4, Instructions: 357COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5d0785792d2f6be3ae0fd9eb367eca84ea230b52bc47faaa28ac77f14125f6ce
                                                                                                                                • Instruction ID: 7766d0ea1d967d55543dfd8a09523ce18a6b0d81375f740f98cdf45916f6b9e3
                                                                                                                                • Opcode Fuzzy Hash: 5d0785792d2f6be3ae0fd9eb367eca84ea230b52bc47faaa28ac77f14125f6ce
                                                                                                                                • Instruction Fuzzy Hash: FDB14A72A043104BF7149E69DC4176BB7D5EBC4724F09863EFD9487382EA78ED048796
                                                                                                                                Function 00446880 Relevance: .3, Instructions: 332COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 7490bc4c8997ad461248dccb16ab5016ad44e6d622207f6916a241a5a0ae9c33
                                                                                                                                • Instruction ID: e9170d44aff5866f56100de90102033e2244ca9e8f75e6b3e2d6e5370943e171
                                                                                                                                • Opcode Fuzzy Hash: 7490bc4c8997ad461248dccb16ab5016ad44e6d622207f6916a241a5a0ae9c33
                                                                                                                                • Instruction Fuzzy Hash: EFA15972A093019BD718DE18CC8166FF7A2EBC6310F0AC53EE9859B355EB789C05C796
                                                                                                                                Function 00446C30 Relevance: .3, Instructions: 331COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 462ae0fcc151deafdffc02c89d1f366d373ee638882361ef7d59977f945bb29b
                                                                                                                                • Instruction ID: 1a5e0ffdbf3978c92937f73f381b570be683c173144ca4ae1b791b303c1bd877
                                                                                                                                • Opcode Fuzzy Hash: 462ae0fcc151deafdffc02c89d1f366d373ee638882361ef7d59977f945bb29b
                                                                                                                                • Instruction Fuzzy Hash: 8EA11775B053058FE718DE18D89166FB3A2EFC6310F1A852EE9958B354EB389C05CB86
                                                                                                                                Function 004473D0 Relevance: .3, Instructions: 323COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9ae0ba7e37703f4cdb108c1955ce9cb739a17fa9a2c27f4f6c93cc25742c1e3a
                                                                                                                                • Instruction ID: 766f9b8d3fcd490e975de269723a1c40344e2b27b9150cac203182a57d2c3d0d
                                                                                                                                • Opcode Fuzzy Hash: 9ae0ba7e37703f4cdb108c1955ce9cb739a17fa9a2c27f4f6c93cc25742c1e3a
                                                                                                                                • Instruction Fuzzy Hash: 65B12572B093109FD318CE28C89266BBBA3EBC5324F19C53EE9958B395D774DC068785
                                                                                                                                Function 0042CB67 Relevance: .3, Instructions: 312COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5bf8ba2e34d3445c35d73722a55db8497af0904ff29d56290ca2d0946fd1d5f7
                                                                                                                                • Instruction ID: 7d60875e03ebcdb34c9b488b98a79c93e9a24b274fbfd30e500e5967e2a4931d
                                                                                                                                • Opcode Fuzzy Hash: 5bf8ba2e34d3445c35d73722a55db8497af0904ff29d56290ca2d0946fd1d5f7
                                                                                                                                • Instruction Fuzzy Hash: C6A111356083A1CFE714CF29E89036E7BE2BF8A310F498A7DE595573A1C3349945CB86
                                                                                                                                Function 004181AC Relevance: .3, Instructions: 310COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 04772eb807b99a92309faba8190fcc0cdebcf5f1c13839a95a26db220a14cf11
                                                                                                                                • Instruction ID: 04131a0b67dd3a805874fae5191248de912dcb5f7195b3ae72eb4def1798786c
                                                                                                                                • Opcode Fuzzy Hash: 04772eb807b99a92309faba8190fcc0cdebcf5f1c13839a95a26db220a14cf11
                                                                                                                                • Instruction Fuzzy Hash: A4C13B76605B804FC3148A3CC891366BFD2AB96314F1D8A6ED4EB8B7D2D939D442CB15
                                                                                                                                Function 0040B060 Relevance: .3, Instructions: 303COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: af50f2bad9bb489fb335ed14439bb1287e25c70870b57a56ee0a2df970e13fc5
                                                                                                                                • Instruction ID: bc6d2709b529e59c57e7cc9210454f1bbb8fd769dcddf2452f71e6af57f36dfd
                                                                                                                                • Opcode Fuzzy Hash: af50f2bad9bb489fb335ed14439bb1287e25c70870b57a56ee0a2df970e13fc5
                                                                                                                                • Instruction Fuzzy Hash: 63C15AB29187418FC360CF68CC96BABB7E1EF85318F08492DD1D9D6342E778A155CB4A
                                                                                                                                Function 00409DC3 Relevance: .3, Instructions: 289COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c1b33ce3e04cfa0dc7421456ddae23d00b81a433bc9ae80d9e17deacd3d6a3ea
                                                                                                                                • Instruction ID: 86084b58761dc4983f266e1458d98f4430e682ef074011310020a3d6a9b6c72c
                                                                                                                                • Opcode Fuzzy Hash: c1b33ce3e04cfa0dc7421456ddae23d00b81a433bc9ae80d9e17deacd3d6a3ea
                                                                                                                                • Instruction Fuzzy Hash: 29C18F35104641EFCB19CF28D840956BFB2FF59300B05CAADE98A4BBA2C331E965DF91
                                                                                                                                Function 004351B3 Relevance: .3, Instructions: 273COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 80471385a62d2dbeba38ece26206bd2a889b7e409b6b544b1fffcea116f1feb7
                                                                                                                                • Instruction ID: e8e7b5d1f6ac093c331c373781fdf0b6e84653656ac48e2004f5f5f13aff097e
                                                                                                                                • Opcode Fuzzy Hash: 80471385a62d2dbeba38ece26206bd2a889b7e409b6b544b1fffcea116f1feb7
                                                                                                                                • Instruction Fuzzy Hash: 07B1E472608B804FC3198A38D8953AABFD2AF96318F1D897DC4DF87397D6796409C706
                                                                                                                                Function 0043C296 Relevance: .3, Instructions: 268COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e25814547b8657f4c628a9ae09876ed82684cab00fe0be3ba32363ddfbc7d1e7
                                                                                                                                • Instruction ID: c0ba0056bc0d79e9ff90e4fa7f8163409d4673866baa51c90706b73073f38282
                                                                                                                                • Opcode Fuzzy Hash: e25814547b8657f4c628a9ae09876ed82684cab00fe0be3ba32363ddfbc7d1e7
                                                                                                                                • Instruction Fuzzy Hash: B7D1A721508BD28EC332CA3C884435ABFD16B67234F18CB9DD4F65BBD2D365A506C7A6
                                                                                                                                Function 00433E19 Relevance: .3, Instructions: 266COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f46c1bcde63708b7980154b63a2d860516a12904de258cb033328e26d10012a8
                                                                                                                                • Instruction ID: 19dc780796bff702e3aac3e29cd2bc9eb51614e21ccf5cce3b9cbd6247de15fe
                                                                                                                                • Opcode Fuzzy Hash: f46c1bcde63708b7980154b63a2d860516a12904de258cb033328e26d10012a8
                                                                                                                                • Instruction Fuzzy Hash: 1FB11972608B804FD3158A38D8953ABBFE2AB96314F1D897DC4EF87383D6396445C716
                                                                                                                                Function 0043FB10 Relevance: .3, Instructions: 260COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 32b8ecc0f82ef7bb86bc97df091e038c36e718961f742f4e819b390e80ed7ca3
                                                                                                                                • Instruction ID: 3243d000e42fa6bbde1491bf21fbd6de9453037408ca101d163772278e0f49e5
                                                                                                                                • Opcode Fuzzy Hash: 32b8ecc0f82ef7bb86bc97df091e038c36e718961f742f4e819b390e80ed7ca3
                                                                                                                                • Instruction Fuzzy Hash: 986148B7F043104BD728CE59DC9572BB792ABCC714F1E903EE8865B361E674AC088799
                                                                                                                                Function 00409CE0 Relevance: .2, Instructions: 250COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 821e978d2c41ef00669fc28f8b952ee625f922a930b7e32772f03021fcf16003
                                                                                                                                • Instruction ID: 4d18bc5b783b215d4a24c6c9fc5079c07bc18f0af03e6dec8ce3e79fe1bb1521
                                                                                                                                • Opcode Fuzzy Hash: 821e978d2c41ef00669fc28f8b952ee625f922a930b7e32772f03021fcf16003
                                                                                                                                • Instruction Fuzzy Hash: 7FB19335104741EFC7198F28D840956FFB2FF59300B09CAADE99A4BB92D331E865DB91
                                                                                                                                Function 0042D0EA Relevance: .2, Instructions: 244COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: dda4c9c3af59e6126755252a7fdd059bc9b93ac295a7194725cdfc04df713685
                                                                                                                                • Instruction ID: d58dccf7f8d102ae8e52e5abf32eef08eb6ae2b0fe8d746fa2f19eff1a051015
                                                                                                                                • Opcode Fuzzy Hash: dda4c9c3af59e6126755252a7fdd059bc9b93ac295a7194725cdfc04df713685
                                                                                                                                • Instruction Fuzzy Hash: 22713972F04B294BC719CE2DD89122BB7D2ABC4300F59863DE9968B386DB34EC15C785
                                                                                                                                Function 00415E31 Relevance: .2, Instructions: 238COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 63dc2214532749a3fe190013f9acd09639dcbb8625be52e1b1a9ebd4b69bce9d
                                                                                                                                • Instruction ID: 9e95abd04c6be4dc537bd8f0338b199a5e99d4fc77b01df3a5057b54fc269504
                                                                                                                                • Opcode Fuzzy Hash: 63dc2214532749a3fe190013f9acd09639dcbb8625be52e1b1a9ebd4b69bce9d
                                                                                                                                • Instruction Fuzzy Hash: 9BA1F776604B808FC315CB38C8913A6BFE2AF9A314F19896ED4EBC7392D635E546C711
                                                                                                                                Function 00440070 Relevance: .2, Instructions: 232COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4b06ae78eb0f0d76a4a8d1d8b76572a24e88dd6cae632828a3b75002bbf8a3a3
                                                                                                                                • Instruction ID: a9fdb69631543c96e85a77dd745ed39ec55ebbc449cccb65d3705bb5ecebe295
                                                                                                                                • Opcode Fuzzy Hash: 4b06ae78eb0f0d76a4a8d1d8b76572a24e88dd6cae632828a3b75002bbf8a3a3
                                                                                                                                • Instruction Fuzzy Hash: 53510176B093008BE314CE69DC8066BB793FBC8310F18C63EE98497395DAB8DC158796
                                                                                                                                Function 00406730 Relevance: .2, Instructions: 232COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 3a1e63f345ac413e1226a4b01c038254da90dec707e7fe3538896761a1eefac5
                                                                                                                                • Instruction ID: 80293f79fddec50ff20d35f29e1c4acda81efebf47cf64b84b21665d8e85bca4
                                                                                                                                • Opcode Fuzzy Hash: 3a1e63f345ac413e1226a4b01c038254da90dec707e7fe3538896761a1eefac5
                                                                                                                                • Instruction Fuzzy Hash: 70716CA15083858FE7145E28988036BBBD1DF52304F2A897FD8D79B7C2E27DC855C39A
                                                                                                                                Function 004349EB Relevance: .2, Instructions: 209COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 28f4beedb8666eefc415a1ea3b95226a8e021b1be7bd481cb286d24019705e70
                                                                                                                                • Instruction ID: a6fe1b78844f7c4155d56aac551f0c3a195f504a4e56fa7cea29365b1f34b7a5
                                                                                                                                • Opcode Fuzzy Hash: 28f4beedb8666eefc415a1ea3b95226a8e021b1be7bd481cb286d24019705e70
                                                                                                                                • Instruction Fuzzy Hash: C78169B2609B804BD3159B38D8993E7BFE2ABD5308F1D897DC4DA87382D93DA445C706
                                                                                                                                Function 00441290 Relevance: .2, Instructions: 209COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 7ebb7c5d4d0cd27cfbd9ed3e3f427e4f5fd69bd7a51c53345131b0ecf4373267
                                                                                                                                • Instruction ID: c09d99baf91c63c6f825f362a3a483e9e6e63f1bb990cbbe5813c36eee97decd
                                                                                                                                • Opcode Fuzzy Hash: 7ebb7c5d4d0cd27cfbd9ed3e3f427e4f5fd69bd7a51c53345131b0ecf4373267
                                                                                                                                • Instruction Fuzzy Hash: 6871B93160C3518FD715CF28C49062EBBE2AFC5314F19866EE8D58B362D739D846CB56
                                                                                                                                Function 0043C650 Relevance: .2, Instructions: 189COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c3baaf207d38291a384e3771eb0e3d24cc54c85903ae121881eeb3388c120c63
                                                                                                                                • Instruction ID: 71121cce4b86f3176dd2e03df0e40d1db1d858f4da3d60e7b92907778f9a9108
                                                                                                                                • Opcode Fuzzy Hash: c3baaf207d38291a384e3771eb0e3d24cc54c85903ae121881eeb3388c120c63
                                                                                                                                • Instruction Fuzzy Hash: 73515DB16087549FE314DF69D49435BBBE1BB88318F044E2EE4E587391E379D6088F86
                                                                                                                                Function 00446320 Relevance: .2, Instructions: 176COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: e62a204519401ef3f38ebf1e4a3e53dd1ef11d2b2c5c2a1a74245cd0d5fe5fc8
                                                                                                                                • Instruction ID: 460cc507675c745ee70cfb10412db7ca048049acdde2b07669478154b93f7d13
                                                                                                                                • Opcode Fuzzy Hash: e62a204519401ef3f38ebf1e4a3e53dd1ef11d2b2c5c2a1a74245cd0d5fe5fc8
                                                                                                                                • Instruction Fuzzy Hash: EE518A73F452144FE7285D689C827BBB252E7C2314F1E813EEE44A7390E6B49D05869A
                                                                                                                                Function 00405CB0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 812a003c9a1d786ee250822ff4af9a4bc1b15b18315967dfa3c726bfa9c283a4
                                                                                                                                • Instruction ID: 416c32664f294b1468d02a79fd28a5d24dab67e77e0edc35e20e5b8166d78e75
                                                                                                                                • Opcode Fuzzy Hash: 812a003c9a1d786ee250822ff4af9a4bc1b15b18315967dfa3c726bfa9c283a4
                                                                                                                                • Instruction Fuzzy Hash: D151E274A046009FC714EF18C880927B7A1FF85324F15867EE899AB392D634ED42CFDA
                                                                                                                                Function 0041328F Relevance: .2, Instructions: 156COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: d81064599390e439ce8bf62de38dde63d5fc1351de2b609b66dba84e03887134
                                                                                                                                • Instruction ID: 1d6dc035e182b13da22b9cbbc4627fa84d9611bb5c3a237048979ab24e870807
                                                                                                                                • Opcode Fuzzy Hash: d81064599390e439ce8bf62de38dde63d5fc1351de2b609b66dba84e03887134
                                                                                                                                • Instruction Fuzzy Hash: 1E510C72645B408FD325DE3CC882396BBD39BD6318F1DC67ED0AACB396DA7894068705
                                                                                                                                Function 00445030 Relevance: .2, Instructions: 154COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 32a95d721f2f7aca5e0177b403e57ef4ceeab3479fae9a8f770556b36fd0998e
                                                                                                                                • Instruction ID: 1ce0968f592739a2e9fd2a87bdb4ab0a0d4f6e84cfd1e2ddb45231fe39b840dd
                                                                                                                                • Opcode Fuzzy Hash: 32a95d721f2f7aca5e0177b403e57ef4ceeab3479fae9a8f770556b36fd0998e
                                                                                                                                • Instruction Fuzzy Hash: 2441253AA09351CBD3148F29D89135BB7D2ABCA309F1AC87DC5C507B51DA3598058B82
                                                                                                                                Function 0041959B Relevance: .1, Instructions: 137COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: aa2acb2af93d00d83156de17288da0f9fd8d69bc59d99b312e1fa0105f27da54
                                                                                                                                • Instruction ID: c605f5bdfb6351e002e41f2228cc8b513cc1290569981fd3c06bcb668c8b4385
                                                                                                                                • Opcode Fuzzy Hash: aa2acb2af93d00d83156de17288da0f9fd8d69bc59d99b312e1fa0105f27da54
                                                                                                                                • Instruction Fuzzy Hash: 8451C7B1A1C3D08BD325CA28C5A03EBBBD26FD9304F18496ED5DA17382C7798C458B5B
                                                                                                                                Function 0041DF42 Relevance: .1, Instructions: 106COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9980f32a05e14ebc5fad99c4f17161fb68771552e8ef4e6d25d7016db9b0e116
                                                                                                                                • Instruction ID: 29fe5bef39a712cca74983f58def0ff39f4ca2fcdef477833d90d0020022f787
                                                                                                                                • Opcode Fuzzy Hash: 9980f32a05e14ebc5fad99c4f17161fb68771552e8ef4e6d25d7016db9b0e116
                                                                                                                                • Instruction Fuzzy Hash: 9E312771A447108BC7289F25C8A27FBB7E2EF96324F09492DE4D68B790D37C5941C74A
                                                                                                                                Function 0042D08F Relevance: .1, Instructions: 96COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e4cb2ebec0dd542681a47f967e4817da2e3720bba335246e3841daf45ee2ccbc
                                                                                                                                • Instruction ID: 749aba1b5ef50b967008e7590c7cded4b7a7dccae2c20fb3fd76f9baff0514e2
                                                                                                                                • Opcode Fuzzy Hash: e4cb2ebec0dd542681a47f967e4817da2e3720bba335246e3841daf45ee2ccbc
                                                                                                                                • Instruction Fuzzy Hash: 2631D3B6A0C3508FD360DF25D054B2FBEE5BBC5304F451D6CE08AAB265CB78C9058B8A
                                                                                                                                Function 00404C80 Relevance: .1, Instructions: 95COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 8f09895c9087677816557ead0eddaa83aaf4718375461296362b8b7bc1083d76
                                                                                                                                • Instruction ID: f434979c7d961154a78b9c798a5e035921f6a5e5e9f8c7df47d770cf5de16a2d
                                                                                                                                • Opcode Fuzzy Hash: 8f09895c9087677816557ead0eddaa83aaf4718375461296362b8b7bc1083d76
                                                                                                                                • Instruction Fuzzy Hash: F931DBB46092019BD7109F19D880A27B7E1FFC4318F19853EEA96AB3C1D339DD52C74A
                                                                                                                                Function 00409BDF Relevance: .1, Instructions: 72COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 3642259c70ff8e6b2ffc67d10343a588dbbf12b5bbcac5d49b8915a33f70ffb4
                                                                                                                                • Instruction ID: 9c0763d8a9c9a3b506b0195bdcb4615ab64e35a6768e5aceb70a47541f9e39bf
                                                                                                                                • Opcode Fuzzy Hash: 3642259c70ff8e6b2ffc67d10343a588dbbf12b5bbcac5d49b8915a33f70ffb4
                                                                                                                                • Instruction Fuzzy Hash: CF218C78601600CFE714DF2AD888357B7E2FF89304F18853ED546873A6CB74E955CA94
                                                                                                                                Function 0043A930 Relevance: .1, Instructions: 64COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                • Instruction ID: ac4335c866407421aa725aeca63ec23f6aea22f762a8cd45cc5288c0c2d5333e
                                                                                                                                • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                • Instruction Fuzzy Hash: 61112C336441D00EC3118D3C8400665BF930E97234F1B979AF4F8A73D6D52B8D8B835A
                                                                                                                                Function 0042F470 Relevance: .1, Instructions: 63COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: acba1e1c71774afc485e955392467e63a24041cb80c174b9f283bac5c1840cd4
                                                                                                                                • Instruction ID: 11cb8e7fa248d2a2276dd22f58b1c19925f8739d21f3d02a06a4c5c8577c7ff2
                                                                                                                                • Opcode Fuzzy Hash: acba1e1c71774afc485e955392467e63a24041cb80c174b9f283bac5c1840cd4
                                                                                                                                • Instruction Fuzzy Hash: 48019EB170031197D720BE25B8D1727B2B86FA4B08F98413EE80857342DBB9FC0886D9
                                                                                                                                Function 0042CA46 Relevance: .0, Instructions: 48COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: fbc3e82bc4d330012c13ba343797598bbb9d6e382b27da9a9e88e0339ee5c01e
                                                                                                                                • Instruction ID: d8551c29a61afecd5edba2e38aa2cc37a4acf6659581284494a60aba1c1156d6
                                                                                                                                • Opcode Fuzzy Hash: fbc3e82bc4d330012c13ba343797598bbb9d6e382b27da9a9e88e0339ee5c01e
                                                                                                                                • Instruction Fuzzy Hash: 121106B4504340CFE3149F15E859B16BBF0BB41314F558AADE4581B3E2D7B9D908CB96
                                                                                                                                Function 00437C69 Relevance: 43.9, APIs: 1, Strings: 24, Instructions: 111memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocString
                                                                                                                                • String ID: ($,$/$2$2$3$5$5$7$8$9$<$?$N$S$`$g$j$l$m$n$q$u$z
                                                                                                                                • API String ID: 2525500382-2570465031
                                                                                                                                • Opcode ID: d52fb1856238552e1ab5ac0bc43518dd379bddc378bc9e7329d932144870984a
                                                                                                                                • Instruction ID: 78fa1f9bf40feeb40e1422eec190e26a18af9ecf6164ad16d831f047fd9c9e6c
                                                                                                                                • Opcode Fuzzy Hash: d52fb1856238552e1ab5ac0bc43518dd379bddc378bc9e7329d932144870984a
                                                                                                                                • Instruction Fuzzy Hash: E561802040C7C289E322967C844875FEFD11BA7228F485B9DF1E55B3E3C6AA814AD767
                                                                                                                                Function 00436DB4 Relevance: 43.9, APIs: 1, Strings: 24, Instructions: 109memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocString
                                                                                                                                • String ID: ($,$/$2$2$3$5$5$7$8$9$<$?$N$S$`$g$j$l$m$n$q$u$z
                                                                                                                                • API String ID: 2525500382-2570465031
                                                                                                                                • Opcode ID: d9f597920ad5f0e55e1015cb2c0f991db549538e4246db794eb5abcbffd8c3e6
                                                                                                                                • Instruction ID: cce0776539ebb9434c76a719a7e1aae10fae5f36b6588ace7f79966163cd30b4
                                                                                                                                • Opcode Fuzzy Hash: d9f597920ad5f0e55e1015cb2c0f991db549538e4246db794eb5abcbffd8c3e6
                                                                                                                                • Instruction Fuzzy Hash: 8B51932040C7C2C9E322967C844875FEFD11BA7228F485B9DF1E55B3E3C6AA814AD767
                                                                                                                                Function 0043731F Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 69COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InitVariant
                                                                                                                                • String ID: I$Q$S$U$W$Y$[$]$_$`$a$c$e$g
                                                                                                                                • API String ID: 1927566239-2064755315
                                                                                                                                • Opcode ID: a9c5137a25a2752e59215682bf2fbebe3dce80b3bd7f69f4906cc8702bab46ee
                                                                                                                                • Instruction ID: 008d8f340cf44579ac18bc134305a53349d6a59e458d4f5bfeb6e16cac1ea22f
                                                                                                                                • Opcode Fuzzy Hash: a9c5137a25a2752e59215682bf2fbebe3dce80b3bd7f69f4906cc8702bab46ee
                                                                                                                                • Instruction Fuzzy Hash: AF41A72151DBC1CAE3318B38885879BBED26BA7224F084BADD5EC4B3D2C7754445C767
                                                                                                                                Function 004321F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: &@>U$#v
                                                                                                                                • API String ID: 0-3407253214
                                                                                                                                • Opcode ID: 8ed6a396931119963b226e8d0f48172cf3ce746215d84d651be8bd9d441b40f1
                                                                                                                                • Instruction ID: 73bb2d5d4db875ca7676cfa592a8b5414a385264176bb1eb99d84d393bcb0fdf
                                                                                                                                • Opcode Fuzzy Hash: 8ed6a396931119963b226e8d0f48172cf3ce746215d84d651be8bd9d441b40f1
                                                                                                                                • Instruction Fuzzy Hash: EE6157B0540B419BE321CF35ECD1BA3BBE5AF65305F144A2EE0EB5B282DB792509CB15
                                                                                                                                Function 004377A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                • String ID: $
                                                                                                                                • API String ID: 2610073882-3993045852
                                                                                                                                • Opcode ID: e65195d1055a49ec5e2146fc3ab0bfa1454dec1ba6f9f9acc6054a25bef78ba0
                                                                                                                                • Instruction ID: 488db1e99cfeb5417ebb646d00dc81523c33d250044f1fc6c9d1dd763a6828c9
                                                                                                                                • Opcode Fuzzy Hash: e65195d1055a49ec5e2146fc3ab0bfa1454dec1ba6f9f9acc6054a25bef78ba0
                                                                                                                                • Instruction Fuzzy Hash: 8441173150CBC18AE3359A38849839FBFD16BD6324F288A5DE6F50B3E2C6758449CB53
                                                                                                                                Function 004374BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.2330039388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                • String ID: $
                                                                                                                                • API String ID: 2610073882-3993045852
                                                                                                                                • Opcode ID: 4debe10e2c6c3bfb1c3cc7ebc7246cce280648966f7e4af4bcda30fbc818b53b
                                                                                                                                • Instruction ID: 8a8eff40c5e3c4b5119bd048d2dd83b4796895a78a09b94ebe6708051f5887fa
                                                                                                                                • Opcode Fuzzy Hash: 4debe10e2c6c3bfb1c3cc7ebc7246cce280648966f7e4af4bcda30fbc818b53b
                                                                                                                                • Instruction Fuzzy Hash: BE41153150CBC18AD335DA3C845874ABED16BA6324F284B9DE5F58B3E2C6748449CB93