Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OD5lecPHBl.exe

Overview

General Information

Sample name:OD5lecPHBl.exe
renamed because original name is a hash value
Original sample name:0952f1807b723ec12d25b065df66df3f71db7e06f2396e574bda46940637cbee.exe
Analysis ID:1555754
MD5:9d0b578d87884a647349cb0a9fe059e1
SHA1:5eb2333e0dc2709b695939f945276cbbaa4c5b3d
SHA256:0952f1807b723ec12d25b065df66df3f71db7e06f2396e574bda46940637cbee
Tags:exerepostebhu-sbsuser-JAMESWT_MHT
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • OD5lecPHBl.exe (PID: 4100 cmdline: "C:\Users\user\Desktop\OD5lecPHBl.exe" MD5: 9D0B578D87884A647349CB0A9FE059E1)
    • BitLockerToGo.exe (PID: 744 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["thinkyyokej.sbs", "officenba.cyou", "explainvees.sbs", "rottieud.sbs", "repostebhu.sbs", "ducksringjk.sbs", "tamedgeesy.sbs", "brownieyuz.sbs", "relalingj.sbs"], "Build id": "PLATINA--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:28.611987+010020229301A Network Trojan was detected52.149.20.212443192.168.2.749744TCP
    2024-11-14T12:19:07.339365+010020229301A Network Trojan was detected20.12.23.50443192.168.2.749964TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:34.771204+010020283713Unknown Traffic192.168.2.749788104.102.49.254443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.791570+010020573341Domain Observed Used for C2 Detected192.168.2.7600311.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.740422+010020573381Domain Observed Used for C2 Detected192.168.2.7498131.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.764625+010020573401Domain Observed Used for C2 Detected192.168.2.7633301.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.844509+010020573441Domain Observed Used for C2 Detected192.168.2.7629011.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.687486+010020573461Domain Observed Used for C2 Detected192.168.2.7494771.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.818391+010020573481Domain Observed Used for C2 Detected192.168.2.7512801.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.875115+010020573501Domain Observed Used for C2 Detected192.168.2.7598471.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:33.712770+010020573541Domain Observed Used for C2 Detected192.168.2.7493181.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-14T12:18:35.395577+010028586661Domain Observed Used for C2 Detected192.168.2.749788104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 9.2.BitLockerToGo.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["thinkyyokej.sbs", "officenba.cyou", "explainvees.sbs", "rottieud.sbs", "repostebhu.sbs", "ducksringjk.sbs", "tamedgeesy.sbs", "brownieyuz.sbs", "relalingj.sbs"], "Build id": "PLATINA--"}
    Multi AV Scanner detection for submitted file
    Source: OD5lecPHBl.exeReversingLabs: Detection: 36%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Sample uses string decryption to hide its real strings
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: tamedgeesy.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: relalingj.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rottieud.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: brownieyuz.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: explainvees.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ducksringjk.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: thinkyyokej.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: repostebhu.sbs
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: officenba.cyou
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: PLATINA--
    Source: OD5lecPHBl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49788 version: TLS 1.2
    Source: OD5lecPHBl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], A489A0F1h9_2_004382B3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [edx], B9BABBD4h9_2_00437DD6
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+000001B0h]9_2_00409DF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl9_2_00426022
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx9_2_00417830
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax9_2_0041C0C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]9_2_0042F8C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+743261FBh]9_2_0040D0E2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], dx9_2_00415F53
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h9_2_0041D090
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-6426E4ABh]9_2_0043A140
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi+366BA2A7h]9_2_0043A140
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-2Fh]9_2_0040D902
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [edi]9_2_0042411F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al9_2_00409120
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h9_2_00433120
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al9_2_004191C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [eax+edi-04h]9_2_004191C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, eax9_2_004261F5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_0041718E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h9_2_0043C190
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, bx9_2_004201AA
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-2Fh]9_2_0040D9B3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then test esi, esi9_2_00428A40
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, ebx9_2_0042724E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7A73AB17h]9_2_00413A6E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, eax9_2_00426223
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ecx+edi*8], 33079CCDh9_2_0043C2C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [eax]9_2_0043AAD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx9_2_0043AAD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, ebx9_2_004272D4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-67h]9_2_0041D2F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, eax9_2_00426287
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h9_2_00425350
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx9_2_0043B360
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebp9_2_00405B10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebp9_2_00405B10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, ebx9_2_00427311
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, ebx9_2_00427323
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]9_2_0040ABD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [004431A4h]9_2_004243E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi9_2_004243E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [ebp+edi-6426E4CFh]9_2_0043ABF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [eax]9_2_0043ABF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx9_2_0043ABF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, ecx9_2_00433400
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esi+eax+02h]9_2_00433400
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, edx9_2_00425C20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx9_2_00426C30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al9_2_00426C30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al9_2_00427CA8
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax9_2_004134B9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-1Bh]9_2_00416D13
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl9_2_00416D13
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax9_2_00416D13
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]9_2_004395F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]9_2_00424DA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edx], al9_2_004265B4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7A73AB3Fh]9_2_00413E43
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+eax-07CB7C13h]9_2_00436E53
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ebp+ecx-01h]9_2_00419E60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax9_2_0041EE12
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, eax9_2_0041EE12
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, word ptr [eax]9_2_0041EE12
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx9_2_0041EE12
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h9_2_0041EE12
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edx], al9_2_0042662A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [ebp+00h]9_2_00407630
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx9_2_0043B630
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax9_2_00403E80
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ecx, edx9_2_004326B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax9_2_00402740
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], dx9_2_00415F53
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx9_2_0043AF30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+2Ch], eax9_2_0043AFF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx9_2_0043AFF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 89C57E52h9_2_004397F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+eax*8], C3CDC4A6h9_2_004397F0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2057346 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (repostebhu .sbs) : 192.168.2.7:49477 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057338 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ducksringjk .sbs) : 192.168.2.7:49813 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057348 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rottieud .sbs) : 192.168.2.7:51280 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057350 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tamedgeesy .sbs) : 192.168.2.7:59847 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkyyokej .sbs) : 192.168.2.7:49318 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057334 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brownieyuz .sbs) : 192.168.2.7:60031 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057344 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relalingj .sbs) : 192.168.2.7:62901 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057340 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explainvees .sbs) : 192.168.2.7:63330 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49788 -> 104.102.49.254:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: thinkyyokej.sbs
    Source: Malware configuration extractorURLs: officenba.cyou
    Source: Malware configuration extractorURLs: explainvees.sbs
    Source: Malware configuration extractorURLs: rottieud.sbs
    Source: Malware configuration extractorURLs: repostebhu.sbs
    Source: Malware configuration extractorURLs: ducksringjk.sbs
    Source: Malware configuration extractorURLs: tamedgeesy.sbs
    Source: Malware configuration extractorURLs: brownieyuz.sbs
    Source: Malware configuration extractorURLs: relalingj.sbs
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49788 -> 104.102.49.254:443
    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49964
    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49744
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C129b19db70bc2b7ff2901c827e2c9472; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=13d487890248b88a6fd7d970; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26214Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 14 Nov 2024 11:18:35 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: officenba.cyou
    Source: global trafficDNS traffic detected: DNS query: repostebhu.sbs
    Source: global trafficDNS traffic detected: DNS query: thinkyyokej.sbs
    Source: global trafficDNS traffic detected: DNS query: ducksringjk.sbs
    Source: global trafficDNS traffic detected: DNS query: explainvees.sbs
    Source: global trafficDNS traffic detected: DNS query: brownieyuz.sbs
    Source: global trafficDNS traffic detected: DNS query: rottieud.sbs
    Source: global trafficDNS traffic detected: DNS query: relalingj.sbs
    Source: global trafficDNS traffic detected: DNS query: tamedgeesy.sbs
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: OD5lecPHBl.exeString found in binary or memory: http://.css
    Source: OD5lecPHBl.exeString found in binary or memory: http://.jpg
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: OD5lecPHBl.exeString found in binary or memory: http://169.254.169.254/latest/api/tokeninvalid
    Source: OD5lecPHBl.exeString found in binary or memory: http://html4/loose.dtd
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=29ZhU4wRbl
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=2ido
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/XQ
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/re
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C129b19db70bc2b7
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49788 version: TLS 1.2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042D600 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_0042D600
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042D600 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_0042D600
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042E155 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,9_2_0042E155
    Source: glfw.3124571041.dll.0.drBinary or memory string: DirectInput8Creatememstr_3ce9868b-f
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dllJump to behavior
    Source: glfw.3124571041.dll.0.drBinary or memory string: GetRawInputDatamemstr_8c11a132-3
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess Stats: CPU usage > 49%
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040B0D09_2_0040B0D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004089509_2_00408950
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00409DF09_2_00409DF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043006D9_2_0043006D
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004048709_2_00404870
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004108009_2_00410800
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043C8209_2_0043C820
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004060309_2_00406030
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004178309_2_00417830
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004098909_2_00409890
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041489E9_2_0041489E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004390A19_2_004390A1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043A1409_2_0043A140
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004211109_2_00421110
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004191C09_2_004191C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004231C09_2_004231C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004239DA9_2_004239DA
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041D9F19_2_0041D9F1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042724E9_2_0042724E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00413A6E9_2_00413A6E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041BA209_2_0041BA20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004262239_2_00426223
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043AAD09_2_0043AAD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004272D49_2_004272D4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041D2F09_2_0041D2F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00402A809_2_00402A80
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004262879_2_00426287
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040CAA79_2_0040CAA7
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004292AE9_2_004292AE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00431AB09_2_00431AB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004363409_2_00436340
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004323409_2_00432340
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004253509_2_00425350
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040D3569_2_0040D356
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043B3609_2_0043B360
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00405B109_2_00405B10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043CB109_2_0043CB10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004053149_2_00405314
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00406B209_2_00406B20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004273239_2_00427323
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040ABD09_2_0040ABD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004243E09_2_004243E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042D3E09_2_0042D3E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00439BE09_2_00439BE0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004093F09_2_004093F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041E3F09_2_0041E3F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043ABF09_2_0043ABF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00435B909_2_00435B90
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004354609_2_00435460
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004334009_2_00433400
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00426C309_2_00426C30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00414CC59_2_00414CC5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004034909_2_00403490
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00427CA89_2_00427CA8
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043C5509_2_0043C550
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00416D139_2_00416D13
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00431D109_2_00431D10
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040ED189_2_0040ED18
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040FD319_2_0040FD31
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00410DC09_2_00410DC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042B5D09_2_0042B5D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041A5E09_2_0041A5E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004395F09_2_004395F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004225A59_2_004225A5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00413E439_2_00413E43
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040C6609_2_0040C660
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00404E739_2_00404E73
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041EE129_2_0041EE12
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004076309_2_00407630
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004166D09_2_004166D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042A6D59_2_0042A6D5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004206E09_2_004206E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00403E809_2_00403E80
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004066809_2_00406680
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004326B09_2_004326B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042CF509_2_0042CF50
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0042375D9_2_0042375D
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00418F709_2_00418F70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00434F709_2_00434F70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043AF309_2_0043AF30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004217C29_2_004217C2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0040DFC09_2_0040DFC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043AFF09_2_0043AFF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_004397F09_2_004397F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 004132C0 appears 76 times
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00408170 appears 43 times
    Source: glfw.3124571041.dll.0.drStatic PE information: Number of sections : 17 > 10
    Source: OD5lecPHBl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@10/1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0041D090 CoCreateInstance,9_2_0041D090
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeFile created: C:\Users\user~1\AppData\Local\Temp\glfw.3124571041.dllJump to behavior
    Source: OD5lecPHBl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: OD5lecPHBl.exeReversingLabs: Detection: 36%
    Source: OD5lecPHBl.exeString found in binary or memory: )go.mongodb.org/mongo-driver/mongo/address
    Source: OD5lecPHBl.exeString found in binary or memory: json:"relocations,omitempty"(parseMetadataGenericParamConstraintTable)github.com/goccy/go-json/internal/decoder)github.com/goccy/go-json/internal/encoder)github.com/goccy/go-json/internal/runtime)go.mongodb.org/mongo-driver/bson/bsontype)go.mongodb.org/mongo-driver/internal/uuid)go.mongodb.org/mongo-driver/mongo/address)go.mongodb.org/mongo-driver/mongo/options)*[8]pe.ImageFileHeaderCharacteristicsType)*func() (encoder.FieldQueryString, error))*func() (string, bsoncore.Document, bool))*func(...*encoder.Opcode) encoder.Opcodes)*func([]uint8) (*fiat.P224Element, error))*func([]uint8) (*fiat.P256Element, error))*func([]uint8) (*fiat.P384Element, error))*func([]uint8) (*fiat.P521Element, error))*func([]uint8) (*nistec.P224Point, error))*func([]uint8) (*nistec.P256Point, error))*func([]uint8) (*nistec.P384Point, error))*func([]uint8) (*nistec.P521Point, error))*func([]uint8) (int, *net.UDPAddr, error))*func([]uint8, *net.UDPAddr) (int, error))*func([]uint8, []uint8, []uint8, []uint8))*func(func(*jsoniter.Iterator) bool) bool)*func(http.http2SettingID) (uint32, bool))*func(io.Writer) zapcore.ReflectedEncoder)*func(reflect.Value, reflect.Value) error)*func(string) (bsonrw.ValueWriter, error))*func(string) (reflect.StructField, bool))*func(string, func(string) string) string)*func(unsafe.Pointer, *jsoniter.Iterator))*func(unsafe.Pointer, int) unsafe.Pointer)*interface { IsHTTP2NoCachedConnError() })*map.bucket[pe.ImageDirectoryEntry]string)*map.bucket[reflect.Kind]schema.Converter)*map.bucket[reflect.Type]*yaml.structInfo)*map.bucket[reflect.Type]schema.Converter)*map.bucket[string]*http.http2addConnCall)*map.bucket[string]opengl.uniformLocation)*map.bucket[uintptr]*encoder.CompiledCode)*map[chan<- notify.EventInfo]notify.Event)*map[pe.ImageFileHeaderMachineType]string)*map[string]func() (*figure.asset, error))*map[unicode.Endianness][9]identifier.MIB
    Source: OD5lecPHBl.exeString found in binary or memory: HumpEqual;IL LibraryIP addressImportListIndonesianIrish (ga)IsValidSidJoinThreadKamishimo Keep-AliveKharoshthiKhmer (km)LeaveGuildLeftArrow;LeftFloor;Leftarrow;LessTilde;LithuanianLoadConfigLocalAllocLockFileExMONGODB-CRMacedonianMalay (ms)ManichaeanMaori (mi)Mellintrf;Message-IdMethodImplMethodSpecMinusPlus;No ContentNotCupCap;NotExists;NotSubset;OP_COMMANDOld ItalicOld TurkicOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOromo (om)Other_MathOverBrace;PERCENTAGEPOSTALCODEParseAddr(ParseFloatPhoenicianPinMessagePlusMinus;PortugueseProcessingPulseEventRIPEMD-160RST_STREAMReadBigIntReadBinaryReadDoubleReadMaxKeyReadMinKeyReadObjectReadStringReadSymbolReadUint16RelocationReplicaSetResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSet-CookieShitamizu Signature=Sotho (st)StandaloneStructHeadSubashiri Tamil (ta)Tatar (tt)Therefore;ThinSpace;TripleDot;Tsuraneru UintStringUnionPlus;User-AgentVC FeatureVarBstrCatVarBstrCmpVarCyCmpR8VarCyMulI4VarCyMulI8VarCyRoundVarR4CmpR8VarR8RoundVenda (ve)VietnameseWSACleanupWSAConnectWSASocketAWSASocketWWSAStartupWelsh (cy)Wolof (wo)WriteArrayWriteInt32WriteInt64WriteRegexX-Amz-DateXhosa (xh)Yamashina [:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:][d1234567][d1234568][d1234578][d1234678][d1235678][d1245678][d1345678][d2345678]\{[a-z]+\}^[0-9\.]+$_reserved1align-selfall-scrollapiVersionaquamarineatomicand8audio/midiaudio/mpegauthsourceautocommitavatar.flfavoid-pageavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnnibackgroundbackprime;backsimeq;banner.flfbigotimes;binary.flfblockType(blockquotebluevioletbool(true)border-boxborder-topbox-shadowbox-sizingbreak loopbreak-wordbubble.flfcapitalizecenter topcenterdot;chartreusecheckmark;chunky.flfcol-resizecolor-burncolumn-gapcomplex128complexes;connectioncosmic.flfcreateUsercreated_bycreatetempdarkorangedarkorchiddarksalmondarkvioletdebug calldifferencednsapi.dlldodgerbluedotsquare;downarrow;dwmapi.dllexecerrdotexitThreadexp masterfender.flffigcaptionfirstBatchflex-basisflex-startfloat32nanfloat64nanfont-styleformactionformmethodformtargetgetsockoptghostwhiteglGetErrorglViewportglfw.*.dllgoroutine gothic.flfgtrapprox;gtreqless;gvertneqq;heartsuit;horizontalhttp-equivhttp_proxyimage/avifimage/heifimage/jpegimage/tiffimage/webpimage: Newimpossibleinstanceofinter-wordinvalid IPinvalidptrinvita.flfitalic.flfjavascriptkeep-alivekeySplineskeysplinesleftarrow;lesseqgtr;lightcorallightgreenline-breaklist-styleluminositylvertneqq;mSpanInUsemadrid.flfmargin-topmax-heightmediagroupmediumbluemin-heightmirror.flfmoscow.flfmultipart-myhostnamenancyj.flfngeqslant;nil readernleqslant;not masternotifyListnovalidatenparallel;nshortmid;nsubseteq;nsupseteq;numOctavesnumberLongnumoctavesobject-fitoverflow-xoverflow-yoverflow: owner diedpapayawhippathLengthpathlengthpepper.flfpitchfork;poison.flfpowderblueprofInsertradiogrouprationals;readUint32readUint64relief.flfreplicasetres binder
    Source: OD5lecPHBl.exeString found in binary or memory: ... omitting ^digits [2-4]$accept-charsetall-small-capsalligator2.flfallocfreetraceanimation-namebad RST markerbad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;blanchedalmondborder-spacingbroken barrierbson.Document{caligraphy.flfchunked streamcolumn-reversecommand failedcontent-lengthconversationIdcopydbgetnoncecornflowerbluecyberlarge.flfcybersmall.flfdarkolivegreendata truncateddecrementDepthdestination-individeontimes;document starte=unknown-userescaped stringextra-expandedfallingdotseq;feDistantLightfeGaussianBlurfedistantlightfegaussianblurfile too largefinalizer waitflex-directionfont-synthesisfonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfformnovalidategcstoptheworldgetprotobynameglAttachShaderglCreateShaderglDeleteShaderglDrawElementsglGetDoublei_vglGetProgramivglShaderSourceglfwWindowHintgrid-auto-flowgrid-auto-rowsgrid-row-starthiragana-irohahookleftarrow;httptest.serveincompressibleincrementDepthinput is emptyinternal errorinvalid Prefixinvalid numberinvalid syntaxis a directoryisometric1.flfisometric2.flfisometric3.flfisometric4.flfkatakana-irohakey size wrongleftarrowtail;leftharpoonup;letter-spacinglevel 2 haltedlevel 3 haltedlightslategraylightslategreylinearGradientlineargradientlongleftarrow;looparrowleft;measuredangle;mediumseagreenmemprofileratemix-blend-modeneed more datanil elem type!no module datano such devicenot a PNG filenot an ip:portntriangleleft;outline-offsetpadding-bottomplatform errorpointer-eventspollCache.lockprefix length primitiveUnitsprimitiveunitsprotocol errorr=%s,s=%s,i=%dradialGradientradialgradientread_frame_eofrectangles.flfreflect.Value.runtime: full=runtime: want=s.allocCount= semaRoot queuesemi-condensedsequence startshortparallel;sideways-rightskipThreeBytesslicontent-boxsmallsetminus;smkeyboard.flfstack overflowstopm spinningstore64 failedsync.Cond.WaitsystemLanguagesystemlanguagetext file busytext-transformthreepoint.flfticksslant.flftime.Location(timeEndPeriod
    Source: OD5lecPHBl.exeString found in binary or memory: ... omitting ^digits [2-4]$accept-charsetall-small-capsalligator2.flfallocfreetraceanimation-namebad RST markerbad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;blanchedalmondborder-spacingbroken barrierbson.Document{caligraphy.flfchunked streamcolumn-reversecommand failedcontent-lengthconversationIdcopydbgetnoncecornflowerbluecyberlarge.flfcybersmall.flfdarkolivegreendata truncateddecrementDepthdestination-individeontimes;document starte=unknown-userescaped stringextra-expandedfallingdotseq;feDistantLightfeGaussianBlurfedistantlightfegaussianblurfile too largefinalizer waitflex-directionfont-synthesisfonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfformnovalidategcstoptheworldgetprotobynameglAttachShaderglCreateShaderglDeleteShaderglDrawElementsglGetDoublei_vglGetProgramivglShaderSourceglfwWindowHintgrid-auto-flowgrid-auto-rowsgrid-row-starthiragana-irohahookleftarrow;httptest.serveincompressibleincrementDepthinput is emptyinternal errorinvalid Prefixinvalid numberinvalid syntaxis a directoryisometric1.flfisometric2.flfisometric3.flfisometric4.flfkatakana-irohakey size wrongleftarrowtail;leftharpoonup;letter-spacinglevel 2 haltedlevel 3 haltedlightslategraylightslategreylinearGradientlineargradientlongleftarrow;looparrowleft;measuredangle;mediumseagreenmemprofileratemix-blend-modeneed more datanil elem type!no module datano such devicenot a PNG filenot an ip:portntriangleleft;outline-offsetpadding-bottomplatform errorpointer-eventspollCache.lockprefix length primitiveUnitsprimitiveunitsprotocol errorr=%s,s=%s,i=%dradialGradientradialgradientread_frame_eofrectangles.flfreflect.Value.runtime: full=runtime: want=s.allocCount= semaRoot queuesemi-condensedsequence startshortparallel;sideways-rightskipThreeBytesslicontent-boxsmallsetminus;smkeyboard.flfstack overflowstopm spinningstore64 failedsync.Cond.WaitsystemLanguagesystemlanguagetext file busytext-transformthreepoint.flfticksslant.flftime.Location(timeEndPeriod
    Source: OD5lecPHBl.exeString found in binary or memory: ... omitting ^digits [2-4]$accept-charsetall-small-capsalligator2.flfallocfreetraceanimation-namebad RST markerbad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;blanchedalmondborder-spacingbroken barrierbson.Document{caligraphy.flfchunked streamcolumn-reversecommand failedcontent-lengthconversationIdcopydbgetnoncecornflowerbluecyberlarge.flfcybersmall.flfdarkolivegreendata truncateddecrementDepthdestination-individeontimes;document starte=unknown-userescaped stringextra-expandedfallingdotseq;feDistantLightfeGaussianBlurfedistantlightfegaussianblurfile too largefinalizer waitflex-directionfont-synthesisfonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfformnovalidategcstoptheworldgetprotobynameglAttachShaderglCreateShaderglDeleteShaderglDrawElementsglGetDoublei_vglGetProgramivglShaderSourceglfwWindowHintgrid-auto-flowgrid-auto-rowsgrid-row-starthiragana-irohahookleftarrow;httptest.serveincompressibleincrementDepthinput is emptyinternal errorinvalid Prefixinvalid numberinvalid syntaxis a directoryisometric1.flfisometric2.flfisometric3.flfisometric4.flfkatakana-irohakey size wrongleftarrowtail;leftharpoonup;letter-spacinglevel 2 haltedlevel 3 haltedlightslategraylightslategreylinearGradientlineargradientlongleftarrow;looparrowleft;measuredangle;mediumseagreenmemprofileratemix-blend-modeneed more datanil elem type!no module datano such devicenot a PNG filenot an ip:portntriangleleft;outline-offsetpadding-bottomplatform errorpointer-eventspollCache.lockprefix length primitiveUnitsprimitiveunitsprotocol errorr=%s,s=%s,i=%dradialGradientradialgradientread_frame_eofrectangles.flfreflect.Value.runtime: full=runtime: want=s.allocCount= semaRoot queuesemi-condensedsequence startshortparallel;sideways-rightskipThreeBytesslicontent-boxsmallsetminus;smkeyboard.flfstack overflowstopm spinningstore64 failedsync.Cond.WaitsystemLanguagesystemlanguagetext file busytext-transformthreepoint.flfticksslant.flftime.Location(timeEndPeriod
    Source: OD5lecPHBl.exeString found in binary or memory: ... omitting ^digits [2-4]$accept-charsetall-small-capsalligator2.flfallocfreetraceanimation-namebad RST markerbad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;blanchedalmondborder-spacingbroken barrierbson.Document{caligraphy.flfchunked streamcolumn-reversecommand failedcontent-lengthconversationIdcopydbgetnoncecornflowerbluecyberlarge.flfcybersmall.flfdarkolivegreendata truncateddecrementDepthdestination-individeontimes;document starte=unknown-userescaped stringextra-expandedfallingdotseq;feDistantLightfeGaussianBlurfedistantlightfegaussianblurfile too largefinalizer waitflex-directionfont-synthesisfonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfformnovalidategcstoptheworldgetprotobynameglAttachShaderglCreateShaderglDeleteShaderglDrawElementsglGetDoublei_vglGetProgramivglShaderSourceglfwWindowHintgrid-auto-flowgrid-auto-rowsgrid-row-starthiragana-irohahookleftarrow;httptest.serveincompressibleincrementDepthinput is emptyinternal errorinvalid Prefixinvalid numberinvalid syntaxis a directoryisometric1.flfisometric2.flfisometric3.flfisometric4.flfkatakana-irohakey size wrongleftarrowtail;leftharpoonup;letter-spacinglevel 2 haltedlevel 3 haltedlightslategraylightslategreylinearGradientlineargradientlongleftarrow;looparrowleft;measuredangle;mediumseagreenmemprofileratemix-blend-modeneed more datanil elem type!no module datano such devicenot a PNG filenot an ip:portntriangleleft;outline-offsetpadding-bottomplatform errorpointer-eventspollCache.lockprefix length primitiveUnitsprimitiveunitsprotocol errorr=%s,s=%s,i=%dradialGradientradialgradientread_frame_eofrectangles.flfreflect.Value.runtime: full=runtime: want=s.allocCount= semaRoot queuesemi-condensedsequence startshortparallel;sideways-rightskipThreeBytesslicontent-boxsmallsetminus;smkeyboard.flfstack overflowstopm spinningstore64 failedsync.Cond.WaitsystemLanguagesystemlanguagetext file busytext-transformthreepoint.flfticksslant.flftime.Location(timeEndPeriodtinker-toy.flftoo many linkstoo many userstriangleright;ultra-expandedunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointerupharpoonleft;validateNumbervarsubsetneqq;varsupsetneqq;vertical-alignvideo/x-ms-wmvwinapi error #work.full != 0zero parameter{"$symbol":%s} with GC prog
    Source: OD5lecPHBl.exeString found in binary or memory: ... omitting ^digits [2-4]$accept-charsetall-small-capsalligator2.flfallocfreetraceanimation-namebad RST markerbad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;blanchedalmondborder-spacingbroken barrierbson.Document{caligraphy.flfchunked streamcolumn-reversecommand failedcontent-lengthconversationIdcopydbgetnoncecornflowerbluecyberlarge.flfcybersmall.flfdarkolivegreendata truncateddecrementDepthdestination-individeontimes;document starte=unknown-userescaped stringextra-expandedfallingdotseq;feDistantLightfeGaussianBlurfedistantlightfegaussianblurfile too largefinalizer waitflex-directionfont-synthesisfonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfformnovalidategcstoptheworldgetprotobynameglAttachShaderglCreateShaderglDeleteShaderglDrawElementsglGetDoublei_vglGetProgramivglShaderSourceglfwWindowHintgrid-auto-flowgrid-auto-rowsgrid-row-starthiragana-irohahookleftarrow;httptest.serveincompressibleincrementDepthinput is emptyinternal errorinvalid Prefixinvalid numberinvalid syntaxis a directoryisometric1.flfisometric2.flfisometric3.flfisometric4.flfkatakana-irohakey size wrongleftarrowtail;leftharpoonup;letter-spacinglevel 2 haltedlevel 3 haltedlightslategraylightslategreylinearGradientlineargradientlongleftarrow;looparrowleft;measuredangle;mediumseagreenmemprofileratemix-blend-modeneed more datanil elem type!no module datano such devicenot a PNG filenot an ip:portntriangleleft;outline-offsetpadding-bottomplatform errorpointer-eventspollCache.lockprefix length primitiveUnitsprimitiveunitsprotocol errorr=%s,s=%s,i=%dradialGradientradialgradientread_frame_eofrectangles.flfreflect.Value.runtime: full=runtime: want=s.allocCount= semaRoot queuesemi-condensedsequence startshortparallel;sideways-rightskipThreeBytesslicontent-boxsmallsetminus;smkeyboard.flfstack overflowstopm spinningstore64 failedsync.Cond.WaitsystemLanguagesystemlanguagetext file busytext-transformthreepoint.flfticksslant.flftime.Location(timeEndPeriodtinker-toy.flftoo many linkstoo many userstriangleright;ultra-expandedunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointerupharpoonleft;validateNumbervarsubsetneqq;varsupsetneqq;vertical-alignvideo/x-ms-wmvwinapi error #work.full != 0zero parameter{"$symbol":%s} with GC prog
    Source: OD5lecPHBl.exeString found in binary or memory: ... omitting ^digits [2-4]$accept-charsetall-small-capsalligator2.flfallocfreetraceanimation-namebad RST markerbad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;blanchedalmondborder-spacingbroken barrierbson.Document{caligraphy.flfchunked streamcolumn-reversecommand failedcontent-lengthconversationIdcopydbgetnoncecornflowerbluecyberlarge.flfcybersmall.flfdarkolivegreendata truncateddecrementDepthdestination-individeontimes;document starte=unknown-userescaped stringextra-expandedfallingdotseq;feDistantLightfeGaussianBlurfedistantlightfegaussianblurfile too largefinalizer waitflex-directionfont-synthesisfonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfformnovalidategcstoptheworldgetprotobynameglAttachShaderglCreateShaderglDeleteShaderglDrawElementsglGetDoublei_vglGetProgramivglShaderSourceglfwWindowHintgrid-auto-flowgrid-auto-rowsgrid-row-starthiragana-irohahookleftarrow;httptest.serveincompressibleincrementDepthinput is emptyinternal errorinvalid Prefixinvalid numberinvalid syntaxis a directoryisometric1.flfisometric2.flfisometric3.flfisometric4.flfkatakana-irohakey size wrongleftarrowtail;leftharpoonup;letter-spacinglevel 2 haltedlevel 3 haltedlightslategraylightslategreylinearGradientlineargradientlongleftarrow;looparrowleft;measuredangle;mediumseagreenmemprofileratemix-blend-modeneed more datanil elem type!no module datano such devicenot a PNG filenot an ip:portntriangleleft;outline-offsetpadding-bottomplatform errorpointer-eventspollCache.lockprefix length primitiveUnitsprimitiveunitsprotocol errorr=%s,s=%s,i=%dradialGradientradialgradientread_frame_eofrectangles.flfreflect.Value.runtime: full=runtime: want=s.allocCount= semaRoot queuesemi-condensedsequence startshortparallel;sideways-rightskipThreeBytesslicontent-boxsmallsetminus;smkeyboard.flfstack overflowstopm spinningstore64 failedsync.Cond.WaitsystemLanguagesystemlanguagetext file busytext-transformthreepoint.flfticksslant.flftime.Location(timeEndPeriodtinker-toy.flftoo many linkstoo many userstriangleright;ultra-expandedunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointerupharpoonleft;validateNumbervarsubsetneqq;varsupsetneqq;vertical-alignvideo/x-ms-wmvwinapi error #work.full != 0zero parameter{"$symbol":%s} with GC prog
    Source: OD5lecPHBl.exeString found in binary or memory: ","$id":{"$oid":"\\[0-9a-f]{1,6} ?^([\-0-9.]+)\s?([^.*\._Ctype_char$alternate-reverseapplication/dicomapplication/x-rpmapplication/x-tarassertion failurebackground-originbackground-repeatbad TinySizeClassborder-left-colorborder-left-styleborder-left-widthbson.Value.Binarybson.Value.Doublebson.Value.MaxKeybson.Value.MinKeybson.Value.Symbolcirclearrowright;color_matrix_bodycolumn-rule-colorcolumn-rule-stylecolumn-rule-widthconnection closeddatadir_certtabledebugPtrmask.lockdecryption faileddownharpoonright;element not foundembedded documententersyscallblockexec format errorexec: not startedexponent overflowfeDiffuseLightingfeDisplacementMapfediffuselightingfedisplacementmapfont-variant-capsfonts/banner3.flffonts/banner4.flffonts/catwalk.flffonts/cosmike.flffonts/cricket.flffonts/cursive.flffonts/diamond.flffonts/digital.flffonts/jazmine.flffonts/larry3d.flffonts/letters.flffonts/marquee.flffonts/maxfour.flffonts/nipples.flffonts/ntgreek.flffonts/pebbles.flffonts/pyramid.flffonts/relief2.flffonts/rounded.flffonts/smslant.flffonts/stellar.flffonts/tengwar.flffonts/tsalagi.flffonts/univers.flffonts/usaflag.flffractional secondframe_ping_lengthg already scannedglGetDoublei_vEXTglfwDestroyWindowglfwGetMonitorPosglobalAlloc.mutexgp.waiting != nilgradientTransformgradienttransformgrid-auto-columnsgrid-column-starthandshake failureif-modified-sinceillegal parameterimage/x-canon-cr2in string literalindex > windowEndinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDkey align too biglimitingConeAnglelimitingconeanglelocked m0 woke uploopstate rewatchloopstate unwatchlzw: invalid codelzw: out of codesmark - bad statusmarkBits overflowmediumspringgreenmissing closing )missing closing ]missing extensionmissing form bodynextId too large:nil resource bodyno data availableno window contextnotetsleepg on g0ntrianglerighteq;page-break-beforepage-break-insidepermission deniedpixels: image: %dreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of rightharpoondown;rightrightarrows;runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)skipEmptyExchangeskipObjectDecoderstack: frame={sp:sts.amazonaws.comswept cached spanthread exhaustiontiger:upload_uuidtoo many requeststransfer-encodingtruncated headerstwoheadleftarrow;unknown caller pcunknown log levelunknown type kindunrecognized namevartriangleright;void main(void) {wait for GC cyclewglGetProcAddresswine_get_version
    Source: OD5lecPHBl.exeString found in binary or memory: ","$id":{"$oid":"\\[0-9a-f]{1,6} ?^([\-0-9.]+)\s?([^.*\._Ctype_char$alternate-reverseapplication/dicomapplication/x-rpmapplication/x-tarassertion failurebackground-originbackground-repeatbad TinySizeClassborder-left-colorborder-left-styleborder-left-widthbson.Value.Binarybson.Value.Doublebson.Value.MaxKeybson.Value.MinKeybson.Value.Symbolcirclearrowright;color_matrix_bodycolumn-rule-colorcolumn-rule-stylecolumn-rule-widthconnection closeddatadir_certtabledebugPtrmask.lockdecryption faileddownharpoonright;element not foundembedded documententersyscallblockexec format errorexec: not startedexponent overflowfeDiffuseLightingfeDisplacementMapfediffuselightingfedisplacementmapfont-variant-capsfonts/banner3.flffonts/banner4.flffonts/catwalk.flffonts/cosmike.flffonts/cricket.flffonts/cursive.flffonts/diamond.flffonts/digital.flffonts/jazmine.flffonts/larry3d.flffonts/letters.flffonts/marquee.flffonts/maxfour.flffonts/nipples.flffonts/ntgreek.flffonts/pebbles.flffonts/pyramid.flffonts/relief2.flffonts/rounded.flffonts/smslant.flffonts/stellar.flffonts/tengwar.flffonts/tsalagi.flffonts/univers.flffonts/usaflag.flffractional secondframe_ping_lengthg already scannedglGetDoublei_vEXTglfwDestroyWindowglfwGetMonitorPosglobalAlloc.mutexgp.waiting != nilgradientTransformgradienttransformgrid-auto-columnsgrid-column-starthandshake failureif-modified-sinceillegal parameterimage/x-canon-cr2in string literalindex > windowEndinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDkey align too biglimitingConeAnglelimitingconeanglelocked m0 woke uploopstate rewatchloopstate unwatchlzw: invalid codelzw: out of codesmark - bad statusmarkBits overflowmediumspringgreenmissing closing )missing closing ]missing extensionmissing form bodynextId too large:nil resource bodyno data availableno window contextnotetsleepg on g0ntrianglerighteq;page-break-beforepage-break-insidepermission deniedpixels: image: %dreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of rightharpoondown;rightrightarrows;runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)skipEmptyExchangeskipObjectDecoderstack: frame={sp:sts.amazonaws.comswept cached spanthread exhaustiontiger:upload_uuidtoo many requeststransfer-encodingtruncated headerstwoheadleftarrow;unknown caller pcunknown log levelunknown type kindunrecognized namevartriangleright;void main(void) {wait for GC cyclewglGetProcAddresswine_get_versionwriteConcernErrorwrong medium type but memory size because dotdotdot in async preempt
    Source: OD5lecPHBl.exeString found in binary or memory: ^[\p{L}\p{N}\s\-_',\[\]!\./\\\(\)]*$accessing a corrupted shared librarybytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positioncannot parse -Infinity as a *big.Intcannot unmarshal %s into a bsonx.Docchacha20: wrong HChaCha20 nonce sizecompressed block size too large (%d)compressed name in SRV resource datacorruption detected (total %d != %d)crypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0crypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functiondid not find expected <stream-start>did not find expected version numberdocument contains excessive aliasingedwards25519: invalid point encodingexpected [ character for array valueexpected an ECDSA public key, got %Tfail to read section relocations: %vfail to read string table length: %vfailure to read data directories: %vgif: can't read image descriptor: %sgraphics: invalid composite mode: %dgraphics: shader compiling error:
    Source: OD5lecPHBl.exeString found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.Address.Network
    Source: OD5lecPHBl.exeString found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.Address.String
    Source: OD5lecPHBl.exeString found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.Address.Canonicalize
    Source: OD5lecPHBl.exeString found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.(*Address).Canonicalize
    Source: OD5lecPHBl.exeString found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.(*Address).Network
    Source: OD5lecPHBl.exeString found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.(*Address).String
    Source: OD5lecPHBl.exeString found in binary or memory: net/addrselect.go
    Source: OD5lecPHBl.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
    Source: OD5lecPHBl.exeString found in binary or memory: github.com/hajimehoshi/ebiten@v1.12.12/internal/glfw/load_windows.go
    Source: OD5lecPHBl.exeString found in binary or memory: go.mongodb.org/mongo-driver@v1.11.4/mongo/address/addr.go
    Source: OD5lecPHBl.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeFile read: C:\Users\user\Desktop\OD5lecPHBl.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\OD5lecPHBl.exe "C:\Users\user\Desktop\OD5lecPHBl.exe"
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: dinput8.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: xinput1_4.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: hid.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32Jump to behavior
    Source: OD5lecPHBl.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: OD5lecPHBl.exeStatic file information: File size 33547264 > 1048576
    Source: OD5lecPHBl.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x6c6c00
    Source: OD5lecPHBl.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x70ee00
    Source: OD5lecPHBl.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1b9200
    Source: OD5lecPHBl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: OD5lecPHBl.exeStatic PE information: section name: .symtab
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /4
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /19
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /31
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /45
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /57
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /70
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /81
    Source: glfw.3124571041.dll.0.drStatic PE information: section name: /92
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_0043E7DA push esp; iretd 9_2_0043E7DD
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeFile created: C:\Users\user\AppData\Local\Temp\glfw.3124571041.dllJump to dropped file
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\glfw.3124571041.dllJump to dropped file
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6836Thread sleep time: -60000s >= -30000sJump to behavior
    Source: BitLockerToGo.exe, 00000009.00000002.1506312185.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: OD5lecPHBl.exe, 00000000.00000002.1491216058.0000000001638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
    Source: BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 9_2_00437EC0 LdrInitializeThunk,9_2_00437EC0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tamedgeesy.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: relalingj.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rottieud.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: brownieyuz.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: explainvees.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ducksringjk.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: thinkyyokej.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: repostebhu.sbs
    Source: OD5lecPHBl.exe, 00000000.00000003.1485170207.000000001263A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: officenba.cyou
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A41008Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43D000Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 440000Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 451000Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 452000Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\OD5lecPHBl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		311
    Process Injection    		1
    Virtualization/Sandbox Evasion    		31
    Input Capture    		1
    Security Software Discovery    		Remote Services1
    Screen Capture    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		311
    Process Injection    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol31
    Input Capture    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager12
    System Information Discovery    		SMB/Windows Admin Shares1
    Archive Collected Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object Model2
    Clipboard Data    		113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    OD5lecPHBl.exe37%ReversingLabsWin32.Spyware.Lummastealer

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\glfw.3124571041.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://169.254.169.254/latest/api/tokeninvalid0%Avira URL Cloudsafe
    officenba.cyou0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truefalse
      		high
      rottieud.sbs
      		unknown
      		unknownfalse
        		high
        tamedgeesy.sbs
        		unknown
        		unknownfalse
          		high
          brownieyuz.sbs
          		unknown
          		unknownfalse
            		high
            officenba.cyou
            		unknown
            		unknowntrue
              		unknown
              repostebhu.sbs
              		unknown
              		unknownfalse
                		high
                explainvees.sbs
                		unknown
                		unknownfalse
                  		high
                  relalingj.sbs
                  		unknown
                  		unknownfalse
                    		high
                    thinkyyokej.sbs
                    		unknown
                    		unknownfalse
                      		high
                      ducksringjk.sbs
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        repostebhu.sbsfalse
                          		high
                          brownieyuz.sbsfalse
                            		high
                            rottieud.sbsfalse
                              		high
                              tamedgeesy.sbsfalse
                                		high
                                officenba.cyoutrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/profiles/76561199724331900false
                                  		high
                                  thinkyyokej.sbsfalse
                                    		high
                                    ducksringjk.sbsfalse
                                      		high
                                      relalingj.sbsfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://html4/loose.dtdOD5lecPHBl.exefalse
                                            		high
                                            https://player.vimeo.comBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=2idoBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://help.steampowered.com/en/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://steamcommunity.com/market/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://store.steampowered.com/news/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=29ZhU4wRblBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;lBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://.cssOD5lecPHBl.exefalse
                                                                            		high
                                                                            https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.youtube.comBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.comBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://store.steampowered.com/stats/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englisBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://medal.tvBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C129b19db70bc2b7BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://s.ytimg.com;BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://login.steampowered.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://store.steampowered.com/legal/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://.jpgOD5lecPHBl.exefalse
                                                                                                                          		high
                                                                                                                          https://steam.tv/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://steamcommunity.com/XQBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=englBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&amBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engliBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://recaptcha.netBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://store.steampowered.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=eBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://steamcommunity.comBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://sketchfab.comBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://lv.queniujq.cnBitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.youtube.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://127.0.0.1:27060BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://169.254.169.254/latest/api/tokeninvalidOD5lecPHBl.exefalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.google.com/recaptcha/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://checkout.steampowered.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://help.steampowered.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://api.steampowered.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://steamcommunity.com/reBitLockerToGo.exe, 00000009.00000002.1506383649.0000000002F6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://store.steampowered.com/account/cookiepreferences/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505910007.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.1506634986.0000000002FAF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/mobileBitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://steamcommunity.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://store.steampowered.com/;BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://store.steampowered.com/about/BitLockerToGo.exe, 00000009.00000003.1505561487.0000000002FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.cloudflare.steamstatic.com/BitLockerToGo.exe, 00000009.00000003.1505628622.0000000002F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high

                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                    104.102.49.254
                                                                                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                                                                                    		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                    General Information

                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                    Analysis ID:1555754
                                                                                                                                                                                                    Start date and time:2024-11-14 12:17:12 +01:00
                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                    Overall analysis duration:0h 6m 6s
                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                    Number of analysed new started processes analysed:13
                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                    Sample name:OD5lecPHBl.exe
                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                    Original Sample Name:0952f1807b723ec12d25b065df66df3f71db7e06f2396e574bda46940637cbee.exe
                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                    Classification:mal100.troj.evad.winEXE@3/1@10/1
                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                    • Successful, ratio: 50%
                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                    • Successful, ratio: 81%
                                                                                                                                                                                                    • Number of executed functions: 9
                                                                                                                                                                                                    • Number of non-executed functions: 112
                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                    • Execution Graph export aborted for target OD5lecPHBl.exe, PID 4100 because there are no executed function
                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                    • VT rate limit hit for: OD5lecPHBl.exe

                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                    07:28:49API Interceptor3x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                    IPs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    steamcommunity.comTu9UIpROEO.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    ftoHy3FsuB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    alarmer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    SOfQumBuFd.exeGet hashmaliciousBinder HackTool, Stealc, VidarBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    6DR41XLsFc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    nlJ2sNaZVi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                    • 23.197.127.21
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                    • 23.67.133.187
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                    • 23.67.133.187

                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    AKAMAI-ASUSTu9UIpROEO.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    ftoHy3FsuB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                    • 23.215.95.169
                                                                                                                                                                                                    spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                    • 23.59.85.224
                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                    • 23.192.223.230
                                                                                                                                                                                                    alarmer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    SOfQumBuFd.exeGet hashmaliciousBinder HackTool, Stealc, VidarBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    6DR41XLsFc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    nlJ2sNaZVi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                    • 184.28.89.167

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1Tu9UIpROEO.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    ftoHy3FsuB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    alarmer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    2024-HRDCL-0000796.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                    DHL Shipment DOCs_002.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 104.102.49.254

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\glfw.3124571041.dllgFCeeWNTvZ.exeGet hashmaliciousLummaC, MicroClipBrowse

                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\glfw.3124571041.dll

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\Desktop\OD5lecPHBl.exe
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                      Size (bytes):1133967
                                                                                                                                                                                                      Entropy (8bit):6.2621593785107486
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12288:+a8Fde9YR/HHeL8ty/dqBHmShQqNHxhy4pDKP7BXUB:+NFbd9thHBQqNRhy4pDKtM
                                                                                                                                                                                                      MD5:4EC2D5A48D44C814F6AD68011E83A32B
                                                                                                                                                                                                      SHA1:881A6E610EF0B1DDD7BAE3C00A123C895E3DA570
                                                                                                                                                                                                      SHA-256:93CE68219CB0E920A0B9F04A38BBEFF104F530A643FD0A792215572525869F90
                                                                                                                                                                                                      SHA-512:FCA67E744FA535AE92C17AEF16DA3CA2FA58811DE0BACB97BA73E716DBDC62CAA1EE43D957E90C9FC93E6BC366EDACCD6D3FF60AE1182F1384BB0B4AE5DCCB07
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                      • Filename: gFCeeWNTvZ.exe, Detection: malicious, Browse
                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........*..b......!...".....L...$...........0....`d................................=......... ......................`.......p..x...........................................................t&...................... s...............................text...$...........................`.P`.data........0......................@.`..rdata.......@.......$..............@.`@.bss.... "...0........................`..edata.......`......................@.0@.idata..x....p......."..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B/4...................R..............@.@B/19.....c............X..............@..B/31......p.......r...n..............@..B/45..... ...........................@..B/57......>.......@..................@.0B/70......Z.......\..................@..B/81.......... .......t..

                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                      Entropy (8bit):3.744791010066591
                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                      File name:OD5lecPHBl.exe
                                                                                                                                                                                                      File size:33'547'264 bytes
                                                                                                                                                                                                      MD5:9d0b578d87884a647349cb0a9fe059e1
                                                                                                                                                                                                      SHA1:5eb2333e0dc2709b695939f945276cbbaa4c5b3d
                                                                                                                                                                                                      SHA256:0952f1807b723ec12d25b065df66df3f71db7e06f2396e574bda46940637cbee
                                                                                                                                                                                                      SHA512:1be312a75e6fcff855c274cc4281af8e84acf0603768468bc2c6c732c2a9620edf09abc01f4cc66b53210b422c0920a75c505688f8cdb4fcb46e671c373682ad
                                                                                                                                                                                                      SSDEEP:196608:AIvKAqjR4ra2EZnagbQPzlZyFO+LGVJoXKX:Dtfu2Etq7u0VJp
                                                                                                                                                                                                      TLSH:1E774B50F9DB80B5DA03543048ABA2BF53306E058B25CBC7DB55FF2AE937AE21937119
                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................ll.........`[.......p....@.................................t.....@................................

                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                      Icon Hash:31f08c4c8c0c8441

                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Entrypoint:0x465b60
                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                                      OS Version Minor:1
                                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                                      File Version Minor:1
                                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                                                                                      Import Hash:9cbefe68f395e67356e2a5d8d1b285c0

                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                      jmp 00007F14F0F05D70h
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                                      mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                      mov dword ptr [esp+10h], ebp
                                                                                                                                                                                                      mov dword ptr [esp+14h], esi
                                                                                                                                                                                                      mov dword ptr [esp+18h], edi
                                                                                                                                                                                                      mov esi, eax
                                                                                                                                                                                                      mov edx, dword ptr fs:[00000014h]
                                                                                                                                                                                                      cmp edx, 00000000h
                                                                                                                                                                                                      jne 00007F14F0F080B9h
                                                                                                                                                                                                      mov eax, 00000000h
                                                                                                                                                                                                      jmp 00007F14F0F08116h
                                                                                                                                                                                                      mov edx, dword ptr [edx+00000000h]
                                                                                                                                                                                                      cmp edx, 00000000h
                                                                                                                                                                                                      jne 00007F14F0F080B7h
                                                                                                                                                                                                      call 00007F14F0F081A9h
                                                                                                                                                                                                      mov dword ptr [esp+20h], edx
                                                                                                                                                                                                      mov dword ptr [esp+24h], esp
                                                                                                                                                                                                      mov ebx, dword ptr [edx+18h]
                                                                                                                                                                                                      mov ebx, dword ptr [ebx]
                                                                                                                                                                                                      cmp edx, ebx
                                                                                                                                                                                                      je 00007F14F0F080CAh
                                                                                                                                                                                                      mov ebp, dword ptr fs:[00000014h]
                                                                                                                                                                                                      mov dword ptr [ebp+00000000h], ebx
                                                                                                                                                                                                      mov edi, dword ptr [ebx+1Ch]
                                                                                                                                                                                                      sub edi, 28h
                                                                                                                                                                                                      mov dword ptr [edi+24h], esp
                                                                                                                                                                                                      mov esp, edi
                                                                                                                                                                                                      mov ebx, dword ptr [ecx]
                                                                                                                                                                                                      mov ecx, dword ptr [ecx+04h]
                                                                                                                                                                                                      mov dword ptr [esp], ebx
                                                                                                                                                                                                      mov dword ptr [esp+04h], ecx
                                                                                                                                                                                                      mov dword ptr [esp+08h], edx
                                                                                                                                                                                                      call esi
                                                                                                                                                                                                      mov eax, dword ptr [esp+0Ch]
                                                                                                                                                                                                      mov esp, dword ptr [esp+24h]
                                                                                                                                                                                                      mov edx, dword ptr [esp+20h]
                                                                                                                                                                                                      mov ebp, dword ptr fs:[00000014h]
                                                                                                                                                                                                      mov dword ptr [ebp+00000000h], edx
                                                                                                                                                                                                      mov edi, dword ptr [esp+18h]
                                                                                                                                                                                                      mov esi, dword ptr [esp+14h]
                                                                                                                                                                                                      mov ebp, dword ptr [esp+10h]
                                                                                                                                                                                                      mov ebx, dword ptr [esp+1Ch]
                                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                                      retn 0004h
                                                                                                                                                                                                      ret
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      int3
                                                                                                                                                                                                      mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                      mov edx, dword ptr [ecx]
                                                                                                                                                                                                      mov eax, esp

                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xfcb0000x3dc.idata
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x103b0000x1cff.rsrc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xfcc0000x6d89c.reloc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xdd9b000xa0.data
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                      Sections

                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                      .text0x10000x6c6a250x6c6c00dc062c3093c448040a06bc5b5e65c8c2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .rdata0x6c80000x70ec2c0x70ee009208c5c8b916e7393880c3589c76e668unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .data0xdd70000x1f36380x1b9200c23b7f7160e49ca8f7c5bb8e642f1596False0.5898548189997166data6.506532228737325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .idata0xfcb0000x3dc0x400e7f01325b381eab5bd39f0120eb9eec6False0.4873046875data4.656015224772227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .reloc0xfcc0000x6d89c0x6da00358a617016546ed73285985ceac73e5cFalse0.42845593999429876data6.569251598816251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .symtab0x103a0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .rsrc0x103b0000x1cff0x1e00240dc3a778229794562283be207a4ca0False0.7940104166666667data7.135887776382041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                      Resources

                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                      RT_ICON0x103b13c0x1536PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.923572744014733
                                                                                                                                                                                                      RT_GROUP_ICON0x103c6740x14data1.05
                                                                                                                                                                                                      RT_VERSION0x103c6880x254dataEnglishUnited States0.4949664429530201
                                                                                                                                                                                                      RT_MANIFEST0x103c8dc0x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                                                                                                                                                                      Imports

                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                      kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                      2024-11-14T12:18:28.611987+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.749744TCP
                                                                                                                                                                                                      2024-11-14T12:18:33.687486+01002057346ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (repostebhu .sbs)1192.168.2.7494771.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:33.712770+01002057354ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkyyokej .sbs)1192.168.2.7493181.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:33.740422+01002057338ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ducksringjk .sbs)1192.168.2.7498131.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:33.764625+01002057340ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explainvees .sbs)1192.168.2.7633301.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:33.791570+01002057334ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brownieyuz .sbs)1192.168.2.7600311.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:33.818391+01002057348ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rottieud .sbs)1192.168.2.7512801.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:33.844509+01002057344ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relalingj .sbs)1192.168.2.7629011.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:33.875115+01002057350ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tamedgeesy .sbs)1192.168.2.7598471.1.1.153UDP
                                                                                                                                                                                                      2024-11-14T12:18:34.771204+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749788104.102.49.254443TCP
                                                                                                                                                                                                      2024-11-14T12:18:35.395577+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.749788104.102.49.254443TCP
                                                                                                                                                                                                      2024-11-14T12:19:07.339365+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.749964TCP

                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.913460970 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.913481951 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.913577080 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.917082071 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.917092085 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.771076918 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.771203995 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.774616957 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.774632931 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.775115013 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.823734045 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.826172113 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:34.871332884 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395602942 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395622015 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395651102 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395668030 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395704031 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395764112 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395764112 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395791054 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395818949 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.395847082 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.400301933 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.400336027 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.400361061 CET44349788104.102.49.254192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.400368929 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.400413990 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.401262045 CET49788443192.168.2.7104.102.49.254
                                                                                                                                                                                                      Nov 14, 2024 12:18:35.401273966 CET44349788104.102.49.254192.168.2.7

                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.659548044 CET6366353192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.682950020 CET53636631.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.687485933 CET4947753192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.710637093 CET53494771.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.712769985 CET4931853192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.734826088 CET53493181.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.740422010 CET4981353192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.762479067 CET53498131.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.764625072 CET6333053192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.787770987 CET53633301.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.791569948 CET6003153192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.814758062 CET53600311.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.818391085 CET5128053192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.841293097 CET53512801.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.844508886 CET6290153192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.866713047 CET53629011.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.875114918 CET5984753192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.897250891 CET53598471.1.1.1192.168.2.7
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.900290966 CET5392153192.168.2.71.1.1.1
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.907510996 CET53539211.1.1.1192.168.2.7

                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.659548044 CET192.168.2.71.1.1.10xfbcStandard query (0)officenba.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.687485933 CET192.168.2.71.1.1.10x641bStandard query (0)repostebhu.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.712769985 CET192.168.2.71.1.1.10xbf20Standard query (0)thinkyyokej.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.740422010 CET192.168.2.71.1.1.10x382dStandard query (0)ducksringjk.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.764625072 CET192.168.2.71.1.1.10x63cbStandard query (0)explainvees.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.791569948 CET192.168.2.71.1.1.10x6922Standard query (0)brownieyuz.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.818391085 CET192.168.2.71.1.1.10x1967Standard query (0)rottieud.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.844508886 CET192.168.2.71.1.1.10x7d68Standard query (0)relalingj.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.875114918 CET192.168.2.71.1.1.10x87c6Standard query (0)tamedgeesy.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.900290966 CET192.168.2.71.1.1.10xdc86Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.682950020 CET1.1.1.1192.168.2.70xfbcName error (3)officenba.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.710637093 CET1.1.1.1192.168.2.70x641bName error (3)repostebhu.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.734826088 CET1.1.1.1192.168.2.70xbf20Name error (3)thinkyyokej.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.762479067 CET1.1.1.1192.168.2.70x382dName error (3)ducksringjk.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.787770987 CET1.1.1.1192.168.2.70x63cbName error (3)explainvees.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.814758062 CET1.1.1.1192.168.2.70x6922Name error (3)brownieyuz.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.841293097 CET1.1.1.1192.168.2.70x1967Name error (3)rottieud.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.866713047 CET1.1.1.1192.168.2.70x7d68Name error (3)relalingj.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.897250891 CET1.1.1.1192.168.2.70x87c6Name error (3)tamedgeesy.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Nov 14, 2024 12:18:33.907510996 CET1.1.1.1192.168.2.70xdc86No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                      • steamcommunity.com

                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                      0192.168.2.749788104.102.49.254443744C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                      2024-11-14 11:18:34 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                      Host: steamcommunity.com
                                                                                                                                                                                                      2024-11-14 11:18:35 UTC1917INHTTP/1.1 200 OK
                                                                                                                                                                                                      Server: nginx
                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                      Date: Thu, 14 Nov 2024 11:18:35 GMT
                                                                                                                                                                                                      Content-Length: 26214
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Set-Cookie: sessionid=13d487890248b88a6fd7d970; Path=/; Secure; SameSite=None
                                                                                                                                                                                                      Set-Cookie: steamCountry=US%7C129b19db70bc2b7ff2901c827e2c9472; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                      2024-11-14 11:18:35 UTC14467INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                                                      Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                                                      2024-11-14 11:18:35 UTC11747INData Raw: 22 3f 6c 3d 74 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 20 28 54 72 61 64 69 74 69 6f 6e 61 6c 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 6a 61 70 61 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6a 61 70 61 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e6 97 a5 e6 9c ac e8 aa 9e 20 28 4a
                                                                                                                                                                                                      Data Ascii: "?l=tchinese" onclick="ChangeLanguage( 'tchinese' ); return false;"> (Traditional Chinese)</a><a class="popup_menu_item tight" href="?l=japanese" onclick="ChangeLanguage( 'japanese' ); return false;"> (J


                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                      Start time:06:18:08
                                                                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\Desktop\OD5lecPHBl.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\OD5lecPHBl.exe"
                                                                                                                                                                                                      Imagebase:0x10000
                                                                                                                                                                                                      File size:33'547'264 bytes
                                                                                                                                                                                                      MD5 hash:9D0B578D87884A647349CB0A9FE059E1
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                      Start time:07:28:48
                                                                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                                                                      Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                                                                      Imagebase:0x8c0000
                                                                                                                                                                                                      File size:231'736 bytes
                                                                                                                                                                                                      MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 00045040 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftserver is connectedservice unavailableskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtime: unknown unit too many open filestoo much pixel datatransaction n, xrefs: 000451DB
                                                                                                                                                                                                        • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qtls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 000452CC
                                                                                                                                                                                                        • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qtls: internal error: failed to update binderstls: internal error: unexpected ren, xrefs: 00045327
                                                                                                                                                                                                        • bad g0 stackbad recoverybarbwire.flfbigchief.flfblacksquare;border-colorborder-imageborder-rightborder-styleborder-widthbreak-beforebreak-insidebulbhead.flfc ap trafficc hs trafficcalgphy2.flfcaller errorcan't happencapitalColorcaption-sidecas64 failedchan rec, xrefs: 0004524A
                                                                                                                                                                                                        • ,-./;<=IKVYZ"_bcfghjlmnpqrsuvw| + , / @ P [ `!!!=!?#?$?%0%=%d%s%v%x&&&=&^'''`'a'e'h'n'o'u'w'y'~((()(D("(]) )()))[)){*.*/*=*>+++-+=+m, ,,---0-=->-[-|. ...0.5.\///=/C/i0,0.0001020405060X0b0h0o0s0x1,1.1/101112131415161718191;1M1d1h2,2.2/20212223242526272829, xrefs: 00045205
                                                                                                                                                                                                        • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowtls: unsupported certificate key (%T)t, xrefs: 0004535B
                                                                                                                                                                                                        • %, xrefs: 00045364
                                                                                                                                                                                                        • VirtualQuery for stack base failed[!#-&(-\[\]-~]|{nonascii}|{escape}adding nil Certificate to CertPoolbad scalar length: %d, expected %dcannot call abortTransaction twicecannot decode %v into an Undefinedchacha20: wrong HChaCha20 key sizeconnection doesn't sup, xrefs: 000452A5
                                                                                                                                                                                                        • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00045271
                                                                                                                                                                                                        • CreateWaitableTimerEx when creating timer failedInt.GobDecode: encoding version %d not supportedMajorSubsystemVersion is outside 3<-->6 boundaryOut-Of-Bounds Level: '%d', defaulting to NoLevelRat.GobDecode: encoding version %d not supportedSindhi Islamic Repub, xrefs: 00045300
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000000.00000002.1487868763.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000000.00000002.1487804739.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1488725349.00000000006D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1488725349.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1488725349.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489610539.0000000000DE7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489641003.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489672709.0000000000DF6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489706595.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489737565.0000000000DF9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489860979.0000000000F36000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489893635.0000000000F38000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489924445.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489956467.0000000000F3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1489989984.0000000000F3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490023345.0000000000F3D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490023345.0000000000F4F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490120300.0000000000F9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490155990.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490155990.0000000000FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490155990.0000000000FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490155990.0000000000FCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490155990.0000000000FD3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490421686.0000000000FDB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490472574.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000000.00000002.1490472574.000000000104B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_10000_OD5lecPHBl.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: %$,-./;<=IKVYZ"_bcfghjlmnpqrsuvw| + , / @ P [ `!!!=!?#?$?%0%=%d%s%v%x&&&=&^'''`'a'e'h'n'o'u'w'y'~((()(D("(]) )()))[)){*.*/*=*>+++-+=+m, ,,---0-=->-[-|. ...0.5.\///=/C/i0,0.0001020405060X0b0h0o0s0x1,1.1/101112131415161718191;1M1d1h2,2.2/20212223242526272829$CreateWaitableTimerEx when creating timer failedInt.GobDecode: encoding version %d not supportedMajorSubsystemVersion is outside 3<-->6 boundaryOut-Of-Bounds Level: '%d', defaulting to NoLevelRat.GobDecode: encoding version %d not supportedSindhi Islamic Repub$VirtualQuery for stack base failed[!#-&(-\[\]-~]|{nonascii}|{escape}adding nil Certificate to CertPoolbad scalar length: %d, expected %dcannot call abortTransaction twicecannot decode %v into an Undefinedchacha20: wrong HChaCha20 key sizeconnection doesn't sup$bad g0 stackbad recoverybarbwire.flfbigchief.flfblacksquare;border-colorborder-imageborder-rightborder-styleborder-widthbreak-beforebreak-insidebulbhead.flfc ap trafficc hs trafficcalgphy2.flfcaller errorcan't happencapitalColorcaption-sidecas64 failedchan rec$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qtls: internal error: failed to update binderstls: internal error: unexpected ren$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowtls: unsupported certificate key (%T)t$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qtls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftserver is connectedservice unavailableskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtime: unknown unit too many open filestoo much pixel datatransaction n
                                                                                                                                                                                                        • API String ID: 0-2536111770
                                                                                                                                                                                                        • Opcode ID: 8036ee0327af3cce267727b95539ac1aa409b93220ca00c6b082338a0c43a363
                                                                                                                                                                                                        • Instruction ID: aea8a6679adff07cc3b43eeb6e5b18df5fb02547cedfb94bbc9fa4165eea5e88
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8036ee0327af3cce267727b95539ac1aa409b93220ca00c6b082338a0c43a363
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F81EFB45097418FE300EF68D58979ABBE0BF89704F01892DF48887392E7B8D945DB5B

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:2.2%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                        Signature Coverage:53.3%
                                                                                                                                                                                                        Total number of Nodes:45
                                                                                                                                                                                                        Total number of Limit Nodes:6
                                                                                                                                                                                                        execution_graph 13084 408950 13086 40895c 13084->13086 13085 408c7b ExitProcess 13086->13085 13087 408971 GetCurrentThreadId 13086->13087 13088 408c71 13086->13088 13089 4089a0 13087->13089 13090 4089a6 GetForegroundWindow 13087->13090 13088->13085 13089->13090 13091 408aee GetCurrentProcessId 13090->13091 13092 408bf4 13090->13092 13091->13092 13092->13088 13094 40ca40 CoInitializeEx 13092->13094 13095 4382b3 13096 4382e0 13095->13096 13097 43833e 13096->13097 13101 437ec0 LdrInitializeThunk 13096->13101 13100 437ec0 LdrInitializeThunk 13097->13100 13100->13097 13101->13097 13074 438ac1 13075 4389e0 13074->13075 13078 437ec0 LdrInitializeThunk 13075->13078 13077 438a9d 13078->13077 13102 438070 13103 438090 13102->13103 13103->13103 13104 438102 GetForegroundWindow 13103->13104 13105 43810e 13104->13105 13106 438c17 13107 438af1 13106->13107 13107->13107 13108 438bde 13107->13108 13110 437ec0 LdrInitializeThunk 13107->13110 13110->13108 13111 437dd6 13112 437e72 RtlReAllocateHeap 13111->13112 13113 437e81 13111->13113 13114 437de4 13111->13114 13115 437e8c 13111->13115 13118 437df2 13111->13118 13119 437e87 13111->13119 13112->13119 13120 434e40 13113->13120 13114->13112 13114->13115 13114->13118 13114->13119 13123 434ed0 13115->13123 13118->13112 13118->13118 13121 434e60 13120->13121 13121->13121 13122 434eac RtlAllocateHeap 13121->13122 13122->13119 13124 434f62 RtlFreeHeap 13123->13124 13125 434ee7 13123->13125 13126 434f68 13123->13126 13124->13126 13125->13124 13126->13119 13127 4383d5 13129 438400 13127->13129 13128 43845e 13129->13128 13131 437ec0 LdrInitializeThunk 13129->13131 13131->13128

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 00408950 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 265threadCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CurrentProcess$ExitForegroundThreadWindow
                                                                                                                                                                                                        • String ID: $rXT
                                                                                                                                                                                                        • API String ID: 3118123366-3648256606
                                                                                                                                                                                                        • Opcode ID: 742ab7f4e704cc51eb56bc0df11fb2699857ff130102aa6008cd089b6e1b44e6
                                                                                                                                                                                                        • Instruction ID: d6d7d544d8fe033e3f103c755334c12900caf396feadd36b0f8ac866106d5465
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 742ab7f4e704cc51eb56bc0df11fb2699857ff130102aa6008cd089b6e1b44e6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9081F573B587144BD308DE6ECD8235AF6E29BC8714F0EC53DA898D7391EA78DC084685
                                                                                                                                                                                                        Function 0040B0D0 Relevance: 8.0, Strings: 6, Instructions: 499COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 22 40b0d0-40b158 23 40b160-40b169 22->23 23->23 24 40b16b-40b17e 23->24 26 40b190 24->26 27 40b196-40b198 24->27 28 40b428 24->28 29 40b41c-40b423 24->29 30 40b19d-40b3c5 24->30 26->27 33 40b512-40b519 27->33 35 40b431-40b43c 28->35 32 40b51a-40b526 29->32 31 40b3d0-40b3fe 30->31 31->31 34 40b400-40b40b 31->34 32->33 42 40b40e-40b415 34->42 36 40b460 35->36 37 40b470-40b477 35->37 38 40b500-40b508 35->38 39 40b443-40b453 35->39 40 40b49a-40b49f call 437db0 35->40 41 40b5ab-40b5ae 35->41 62 40b47f-40b493 37->62 43 40b510 38->43 39->36 45 40b4a4-40b4ae 40->45 46 40b5b7 41->46 42->28 42->29 42->35 42->36 42->37 42->38 42->39 42->40 42->41 47 40b720-40b7b9 call 408130 42->47 48 40b580-40b5a4 42->48 49 40b540-40b549 42->49 50 40b5e6-40b5e8 42->50 51 40b5c7 42->51 52 40b528 42->52 53 40b569-40b572 42->53 54 40b5ea-40b5ff 42->54 55 40b5cd-40b5cf 42->55 56 40b54f-40b558 42->56 57 40b5d0 42->57 58 40b531-40b53a 42->58 59 40b5d6-40b5df 42->59 60 40b677-40b717 call 408130 42->60 61 40b5b9-40b5c0 42->61 45->37 45->38 45->41 45->43 67 40b4e0 45->67 68 40b462-40b469 45->68 69 40b4e2-40b4f9 45->69 70 40b4b5-40b4d1 45->70 66 40b575-40b57e 46->66 84 40b7c2 47->84 48->35 48->36 48->37 48->38 48->39 48->40 48->41 48->49 48->52 48->58 49->56 71 40b619-40b63f 50->71 51->55 52->58 53->66 72 40b600-40b614 54->72 55->57 64 40b55b 56->64 57->59 58->49 59->35 59->36 59->37 59->38 59->39 59->40 59->41 59->48 59->49 59->50 59->52 59->53 59->54 59->58 60->47 61->35 61->36 61->37 61->38 61->39 61->40 61->41 61->48 61->49 61->50 61->51 61->52 61->53 61->54 61->55 61->56 61->57 61->58 61->59 62->38 62->40 80 40b564-40b567 64->80 66->64 67->69 68->37 68->38 68->41 68->43 69->37 69->38 69->41 69->43 70->67 78 40b640-40b654 71->78 72->72 77 40b616 72->77 77->71 78->78 83 40b656-40b670 78->83 80->32 83->35 83->36 83->37 83->38 83->39 83->40 83->41 83->48 83->49 83->52 83->53 83->58 83->60 84->84
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 78$TsZq$pv$~q$31$?=
                                                                                                                                                                                                        • API String ID: 0-3635031037
                                                                                                                                                                                                        • Opcode ID: d7a1da7c1fe1b6ef09b2b8bd9449ebf124ddd8a038ff88c1f30f67202bcfbdca
                                                                                                                                                                                                        • Instruction ID: a53e018480a1b570e65b55794ad9cda25d30042060380f030d8ecfffb28c9f6e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7a1da7c1fe1b6ef09b2b8bd9449ebf124ddd8a038ff88c1f30f67202bcfbdca
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B026AB5215B01CFD3248F25D891797BBF5FB85314F148A2DE5AA8BBA0CB74A406CB84
                                                                                                                                                                                                        Function 00437DD6 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 115 437dd6-437ddd 116 437df2 115->116 117 437ea2 115->117 118 437e72-437e7f RtlReAllocateHeap 115->118 119 437e81-437e82 call 434e40 115->119 120 437ea0 115->120 121 437e30-437e41 115->121 122 437de4-437deb 115->122 123 437df8-437e09 115->123 124 437e8c-437e8d call 434ed0 115->124 116->123 127 437ea4-437eab 117->127 118->127 130 437e87-437e8a 119->130 120->117 129 437e50-437e65 121->129 122->116 122->117 122->118 122->120 122->121 122->123 122->124 128 437e10-437e25 123->128 131 437e92-437e9a 124->131 128->128 132 437e27-437e2f 128->132 129->129 133 437e67-437e69 129->133 130->127 131->120 132->121 133->118
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000), ref: 00437E79
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                        • Opcode ID: 849b92ab72a24014668269d1f252f0c0b88ea5db7d5e8c51cf05508b8ce21f8e
                                                                                                                                                                                                        • Instruction ID: 8eb1f99478386ea42370579bcb21a6504ecec19b93e4581a246305fc00019c4d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 849b92ab72a24014668269d1f252f0c0b88ea5db7d5e8c51cf05508b8ce21f8e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E11E67A609241CFDB258F28E8626A7FB70FF1B315F0550BED0458B653D63C9813D689
                                                                                                                                                                                                        Function 00437EC0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 137 437ec0-437ef2 LdrInitializeThunk
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LdrInitializeThunk.NTDLL(0043BA1B,005C003F,0000000B,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00437EEE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
                                                                                                                                                                                                        • Instruction ID: 88b266f08c8d8dc656098dc4a5309144cffe720ba9f358246b073a6e310c2786
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                                                                        Function 004382B3 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 162 4382b3-4382da 163 4382e0-438311 162->163 163->163 164 438313-43831b 163->164 165 438321-43832f 164->165 166 438666-43868f 164->166 167 438330-438337 165->167 168 438690-4386c0 166->168 169 438343-438349 167->169 170 438339-43833c 167->170 168->168 171 4386c2-4386cd 168->171 169->166 173 43834f-438375 call 437ec0 169->173 170->167 172 43833e 170->172 174 438650-438663 171->174 175 4386cf-4386d7 171->175 172->166 173->166 174->166 177 4386e0-4386e7 175->177 178 438700-438706 177->178 179 4386e9-4386ec 177->179 178->174 182 43870c-43872a call 437ec0 178->182 179->177 181 4386ee 179->181 181->174 184 43872f-438732 182->184 184->174
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: 7654
                                                                                                                                                                                                        • API String ID: 2994545307-4024152101
                                                                                                                                                                                                        • Opcode ID: 15f234921149bb057d08e92a363b4a5aaf9e4bfdd2e90b6f5dd45c27e19d397d
                                                                                                                                                                                                        • Instruction ID: 8978d544f830a8bbd130073cfb5df1777863d848b01fd86f04e3161067b583db
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15f234921149bb057d08e92a363b4a5aaf9e4bfdd2e90b6f5dd45c27e19d397d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D341D635A55215AFEB11CF04CC52F6EBBA3AB99B00F24911DE9017F3D4CA769C028B99
                                                                                                                                                                                                        Function 00409DF0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ffcb3a046abc734c65af15d3efd2b0936bab57dd2ccb692b63c4320d02b5e811
                                                                                                                                                                                                        • Instruction ID: a0763fd635058fe751cae70e55c8b52385fbdae59ec8dfa84c32ea9572544848
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffcb3a046abc734c65af15d3efd2b0936bab57dd2ccb692b63c4320d02b5e811
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0213677A183504BD314CF25DC8469BBAA3FBC6308F098A2CD4C567245C7799906C799
                                                                                                                                                                                                        Function 00434ED0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 90 434ed0-434ee0 91 434f62-434f66 RtlFreeHeap 90->91 92 434f60 90->92 93 434ee7-434ef7 90->93 94 434f68-434f6d 90->94 91->94 92->91 95 434f00-434f3f 93->95 95->95 96 434f41-434f56 95->96 96->92
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,00000000,?), ref: 00434F66
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                        • String ID: bOC
                                                                                                                                                                                                        • API String ID: 3298025750-740722108
                                                                                                                                                                                                        • Opcode ID: 87ca1b2e443887e2e1393ff2542ea2393e85603b2bdfa9e3755601b95525c687
                                                                                                                                                                                                        • Instruction ID: 7fa69cf5a21abcc7a46dc5bc5f41709a937e5b013ce3e48356283fccdf019824
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87ca1b2e443887e2e1393ff2542ea2393e85603b2bdfa9e3755601b95525c687
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30012876A196108BD318DB24EC14A5BB797EBCB715F09C56CC8846B798D9346801C785
                                                                                                                                                                                                        Function 00438070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 97 438070-438084 98 438090-4380be 97->98 98->98 99 4380c0-438109 GetForegroundWindow call 43b840 98->99 102 43810e-438130 99->102
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 00438102
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ForegroundWindow
                                                                                                                                                                                                        • String ID: L
                                                                                                                                                                                                        • API String ID: 2020703349-128246401
                                                                                                                                                                                                        • Opcode ID: 14ed0998ffe213512cfd661eeafc034c8a9a5bc2544b796ccc4919ae9cfc5c61
                                                                                                                                                                                                        • Instruction ID: da165acebc36423cded882a02bb04f502ceb98e1991ecf52d6d65c72cb9ad388
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14ed0998ffe213512cfd661eeafc034c8a9a5bc2544b796ccc4919ae9cfc5c61
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB01287B6502248BCF048F38DCC22E937A0EB15218F08507EE945C7763C63D894A8B2A
                                                                                                                                                                                                        Function 00434E40 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 134 434e40-434e55 135 434e60-434eaa 134->135 135->135 136 434eac-434ec5 RtlAllocateHeap 135->136
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00434EB8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                        • Opcode ID: 9d07fb0ab8baa650d42fa48305ff33dba6c8f1db1af50d08a930629c9e529d92
                                                                                                                                                                                                        • Instruction ID: 1a544cc088f29736f7a804bf936f2654a9a07047b0a20fe589c8ff16102a5634
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d07fb0ab8baa650d42fa48305ff33dba6c8f1db1af50d08a930629c9e529d92
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E01DD333002400FC308C619EC46A5B7F5BFBC5325F39467FD9944B291ED395812C6A0

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 00410DC0 Relevance: 89.4, Strings: 70, Instructions: 1933COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $!$"$#$%$'$'$($($)$+$+$.$.$1$2$2$7$9$:$=$=$?$@$D$D$F$G$L$M$M$O$X$Y$Z$Z$[$`$b$c$c$d$e$f$g$g$i$i$k$m$n$o$p$p$q$r$s$s$u$u$w$w$y$y${${$|$|$}$}
                                                                                                                                                                                                        • API String ID: 0-2912625364
                                                                                                                                                                                                        • Opcode ID: 10d5cd734138d8265d713e362f8d7c2a40def8c1b885a50e8592a3a7c686f918
                                                                                                                                                                                                        • Instruction ID: 513e0e15f6b9fdd170c367aa4fecd39af3ad0926288e6f12b227f9ce16d890c8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10d5cd734138d8265d713e362f8d7c2a40def8c1b885a50e8592a3a7c686f918
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F039C7160C7C18AD3349B38C5583EFBBD2ABD6314F188A6EE1E9873D2D67984428717
                                                                                                                                                                                                        Function 004326B0 Relevance: 26.8, APIs: 10, Strings: 5, Instructions: 534memorycomCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CoCreateInstance.OLE32(0043E680,00000000,00000001,0043E670,00000000), ref: 004327A9
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(69DF6B8F), ref: 00432817
                                                                                                                                                                                                        • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00432863
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(21D527CD), ref: 004328D1
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(89518B21), ref: 00432987
                                                                                                                                                                                                        • VariantInit.OLEAUT32(?), ref: 004329F3
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                                                                                                        • String ID: 6{}$C$\$dg$|{
                                                                                                                                                                                                        • API String ID: 65563702-2243153836
                                                                                                                                                                                                        • Opcode ID: 46ae103942eef8a2ace5658834f2c47ba6edb02b3a105fdab6c0bf65a7c9b9d0
                                                                                                                                                                                                        • Instruction ID: e2aac4b598b46e206398431f92c925147c018b2e0bc29784328e9a934050e2bb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46ae103942eef8a2ace5658834f2c47ba6edb02b3a105fdab6c0bf65a7c9b9d0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1312FD716083419BE710CF24C985BABFBE5EF89304F14992EF5859B381D7B8D805CB9A
                                                                                                                                                                                                        Function 0040ED18 Relevance: 19.8, Strings: 15, Instructions: 1045COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: +$+$1$9$9$9$B$F$G$H$I$M$O$\$y
                                                                                                                                                                                                        • API String ID: 0-3993542015
                                                                                                                                                                                                        • Opcode ID: cc1ae0d78ff66c332ad65a54dc8ccccba51ab69fdd37b3ed379b2139b57eca25
                                                                                                                                                                                                        • Instruction ID: 05ad98172bbcd19b03d1a2cdd9fcb830bdea0bb9867e6d63636a9166fd032eff
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc1ae0d78ff66c332ad65a54dc8ccccba51ab69fdd37b3ed379b2139b57eca25
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D92D07260C7808FD3289B39C4953AEBBE2ABD5314F19893EE4DAD73C2D67885458707
                                                                                                                                                                                                        Function 0041EE12 Relevance: 19.8, Strings: 15, Instructions: 1030COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @Q$E}$O\$SX$Yt$_Y$`F$d[$mn$uy$uz$v}${u$-/$wi
                                                                                                                                                                                                        • API String ID: 0-830926451
                                                                                                                                                                                                        • Opcode ID: df6c6fb4b8c0bb68779fb0b22911b7c3ff6c442d663669330e102ae042eb3417
                                                                                                                                                                                                        • Instruction ID: 3ccb1f2c4b61e57335af4baf24084d55d87b3210f50253b2fdad526966e0ebcc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: df6c6fb4b8c0bb68779fb0b22911b7c3ff6c442d663669330e102ae042eb3417
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9A273B55083818BE334CF14D8917AFBBE1FF81344F54892DE5C99B261EB748986CB86
                                                                                                                                                                                                        Function 004093F0 Relevance: 19.2, Strings: 15, Instructions: 406COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: <$Ca2t$GLDA$ML$Moop$XtKI$Yvpm$Yvpm$ZK]W$jQUX$kwmh$lpbr$n$pTNF$~tvz
                                                                                                                                                                                                        • API String ID: 0-28230716
                                                                                                                                                                                                        • Opcode ID: 0a4bd4462356aa1fed2444773542a02ffb263b81cd0fd23190b2c7c66515f891
                                                                                                                                                                                                        • Instruction ID: eb08b17bedc774ab8012a13a0089e5526deb11b8c066e0f192dfc696af2c912d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a4bd4462356aa1fed2444773542a02ffb263b81cd0fd23190b2c7c66515f891
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34C108725093908BD321CF29886035BFFE1AFD7344F1949ADE4D55B386C339890ACB96
                                                                                                                                                                                                        Function 0042D600 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 143clipboardCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                                                                                        • String ID: #$G$}
                                                                                                                                                                                                        • API String ID: 1647500905-3315264962
                                                                                                                                                                                                        • Opcode ID: 9d40d90d5af1e8d072d63a2254c50bcc8fdc772aceb8799fbea065010e5137b4
                                                                                                                                                                                                        • Instruction ID: 2fbb0c1bf4941ed766bf23e6ce210760cce6f369221f8042d5ae9bc93b6e60bf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d40d90d5af1e8d072d63a2254c50bcc8fdc772aceb8799fbea065010e5137b4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B451B372A0C7918ED300AF78A84836EBED05BD2324F544A2EE4D6862C2D67C8546D79B
                                                                                                                                                                                                        Function 0040FD31 Relevance: 15.8, Strings: 12, Instructions: 764COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 7$A$F$Q$d$f$j$m$q${${$~
                                                                                                                                                                                                        • API String ID: 0-2162741463
                                                                                                                                                                                                        • Opcode ID: c3cda15e63b074cc49afe8cb4641f87157934e327557b9138c06004cd9710334
                                                                                                                                                                                                        • Instruction ID: e4660240931095ebd751f5bf1c0e4e63e4b997130521c283f8fdc190d7c127dc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3cda15e63b074cc49afe8cb4641f87157934e327557b9138c06004cd9710334
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E852B97260C7808BD3249B39C4953AEBBD1ABD5324F198A3ED4E9D73D1D67C88818B47
                                                                                                                                                                                                        Function 00432340 Relevance: 15.3, Strings: 12, Instructions: 256COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4$4$4$5$5$5$6$6$6$7$7$7
                                                                                                                                                                                                        • API String ID: 0-886719502
                                                                                                                                                                                                        • Opcode ID: de436e6b5c51a54d4495cbcd36c9eb6dbde7f7f81c6bf71c1178ea477d2c445c
                                                                                                                                                                                                        • Instruction ID: 838f269ceb4942205073004b82be1081d8c7514a0caafa05003b6891edd0de60
                                                                                                                                                                                                        • Opcode Fuzzy Hash: de436e6b5c51a54d4495cbcd36c9eb6dbde7f7f81c6bf71c1178ea477d2c445c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50A1D23250C3808FD3118A288A5132FBFD29BDA318F29596EE5D587392D6BDC946C71B
                                                                                                                                                                                                        Function 0043006D Relevance: 12.8, Strings: 10, Instructions: 293COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4$5$6$7$I$P$S$T$f$u
                                                                                                                                                                                                        • API String ID: 0-275873969
                                                                                                                                                                                                        • Opcode ID: 73d4fe5bfb115c0736c1b09adcedf3fd36e7d1c242fb03076fd07fad2f5c469e
                                                                                                                                                                                                        • Instruction ID: b60f7468f631487a41d8787ad6b550ffd667ee96398355b75c42d7b3d242d44f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73d4fe5bfb115c0736c1b09adcedf3fd36e7d1c242fb03076fd07fad2f5c469e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58D1D421508BD18ED732CA3C885835ABFE11B27324F0D879DD8EA5F7D2C3699906C766
                                                                                                                                                                                                        Function 00431D10 Relevance: 12.7, Strings: 10, Instructions: 247COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $$%$*$0$:$>$J$O$P$S
                                                                                                                                                                                                        • API String ID: 0-2356813728
                                                                                                                                                                                                        • Opcode ID: a0543a462b84a2a0b4f0fac331f92533a94fce4d91656f42163c7f39f2ead0f8
                                                                                                                                                                                                        • Instruction ID: d5f93dc6c3f1dbc7b3037ca8a9d0175480df6fe308f7a4d69c65d59bea57c9c9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0543a462b84a2a0b4f0fac331f92533a94fce4d91656f42163c7f39f2ead0f8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8791F62250C7D08AD311853D885435FAED24BEB228F2D9EAEE5E5C73D2C16DC80AD767
                                                                                                                                                                                                        Function 0040D356 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 362COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Uninitialize
                                                                                                                                                                                                        • String ID: :123$XWRI$^9y$`a$l$IK$qs
                                                                                                                                                                                                        • API String ID: 3861434553-2428471378
                                                                                                                                                                                                        • Opcode ID: 2dc73a9321b2930a1391086ff3d8aa4a18ee2555daac9a93a065958af525c687
                                                                                                                                                                                                        • Instruction ID: 7c33bace3b820a49fdfb5d8e75a533ab4b8cd861deaa2e4a82c35d9a85388beb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2dc73a9321b2930a1391086ff3d8aa4a18ee2555daac9a93a065958af525c687
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EAB1147150C3D08AD7358F6988507ABBBE1AFD6304F18496EC4D9AB382D739440ACBA7
                                                                                                                                                                                                        Function 0041D9F1 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: "A$;Mhw$InA>$^TPX$gBoY$gBoY$m!ZT$x
                                                                                                                                                                                                        • API String ID: 0-3663826454
                                                                                                                                                                                                        • Opcode ID: 598d6fe06f7d46f69d393b377a4cd0a392aa5590b3df2dbf31e504e4352ad7bd
                                                                                                                                                                                                        • Instruction ID: c504bd2745d304f275b875486303ae85a9c5fcddd7044eb668f941994f380fe1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 598d6fe06f7d46f69d393b377a4cd0a392aa5590b3df2dbf31e504e4352ad7bd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF32DC79608302DFD718CF28D89162AB7E2FF8A314F49897CE98687391D778A850CB45
                                                                                                                                                                                                        Function 00414CC5 Relevance: 9.5, Strings: 7, Instructions: 757COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: "WU$#QA$\]$q$s}$~q$%'
                                                                                                                                                                                                        • API String ID: 0-1717045839
                                                                                                                                                                                                        • Opcode ID: 777e615558ba600cb491ad3e74b50bfc62aa10372fd991fe996c54f814bbf82f
                                                                                                                                                                                                        • Instruction ID: 6da1b29869d91b0fa7e985c9ef75ea5614ea0bbeea46a7a1230901315f0a5079
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 777e615558ba600cb491ad3e74b50bfc62aa10372fd991fe996c54f814bbf82f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08429C75A087808FD3348F24C8517EBBBE1EFD2314F498A2ED4D98B291E7784845CB96
                                                                                                                                                                                                        Function 0041E3F0 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 526COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DrivesLogical
                                                                                                                                                                                                        • String ID: HK$OK$p8$w'y
                                                                                                                                                                                                        • API String ID: 999431828-1830771304
                                                                                                                                                                                                        • Opcode ID: efeecd3271cadd182b9c8f0a15e72e1de0659be56136b5b518d093179b7cc55f
                                                                                                                                                                                                        • Instruction ID: 9fa8fea72300f5d021b41e124ece9c1aa6107b8daaf83f8d6b27fdaba18db8dc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: efeecd3271cadd182b9c8f0a15e72e1de0659be56136b5b518d093179b7cc55f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4AF1EBB95083408FD304CF65D89166FBBF1EF96304F04892DF9969B390E7B88909CB86
                                                                                                                                                                                                        Function 00404870 Relevance: 9.2, Strings: 7, Instructions: 413COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: K@$#L@$0J@$>L@$BJ@$RN@$hY@
                                                                                                                                                                                                        • API String ID: 0-2237427639
                                                                                                                                                                                                        • Opcode ID: b7389f4a3fe46b89b3566a9ae6396f61328ed26648889573b134ff1dfd0c235f
                                                                                                                                                                                                        • Instruction ID: 82d72577b92ccefc64bfc362d7ea52a1933e78edb996169bc4911e50a908b4e2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7389f4a3fe46b89b3566a9ae6396f61328ed26648889573b134ff1dfd0c235f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3F18879618301CFD704CF28E89176A7BE1FB89319F08887DEA8587391D739D9A4CB46
                                                                                                                                                                                                        Function 00409890 Relevance: 9.2, Strings: 7, Instructions: 409COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 6<>2$DG$itkj$pS0U$q`h}$yleh${'BY
                                                                                                                                                                                                        • API String ID: 0-1360279699
                                                                                                                                                                                                        • Opcode ID: 37f1af0c439e30fcf17c1f59a946613f9efc509dd223cb6401527f03c9a912fb
                                                                                                                                                                                                        • Instruction ID: b0cb021d86aae405724bc256dfd1c52e83fc2e6bd58d8eaf7220f63deb7e7f64
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37f1af0c439e30fcf17c1f59a946613f9efc509dd223cb6401527f03c9a912fb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38D1F0716487818FD314DF35C88176BBBE6ABD5308F28896DE1D18B392D778C80ACB56
                                                                                                                                                                                                        Function 00417830 Relevance: 8.2, Strings: 6, Instructions: 708COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: (+$,($8?$A\$[Q$}t
                                                                                                                                                                                                        • API String ID: 0-788516237
                                                                                                                                                                                                        • Opcode ID: 006859f3b07870eea19f5b27a80471b9cee9b75d445eab7ac5fc961b9de5f645
                                                                                                                                                                                                        • Instruction ID: 5b5cc2f90d55196e543feb836d683ee2186a791ac430ba15fda66cfd1f6ce9d4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 006859f3b07870eea19f5b27a80471b9cee9b75d445eab7ac5fc961b9de5f645
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C12FFB550C3008BD304CF24D8916ABBBF1EF96358F18892DF4D58B391E7788949CB9A
                                                                                                                                                                                                        Function 004206E0 Relevance: 8.0, Strings: 6, Instructions: 519COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @[$@{$Rz$_^]\$_^]\$w|
                                                                                                                                                                                                        • API String ID: 0-2252235354
                                                                                                                                                                                                        • Opcode ID: 4140bc3c12b3a045b86126ee81bc6ebb60b62fba1f323ee42c1cc81cc586f5f1
                                                                                                                                                                                                        • Instruction ID: 61278cf28d406609e4ae2084c6f5194e4cfddd8f8b2b7b038b8aff5f15b9b2a6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4140bc3c12b3a045b86126ee81bc6ebb60b62fba1f323ee42c1cc81cc586f5f1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1802CCB9618340CFE3248F24D89176FBBE1FB96304F54492DF5CA8B292D77998018B86
                                                                                                                                                                                                        Function 00404E73 Relevance: 8.0, Strings: 6, Instructions: 518COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: )U@$0$8$\T@$U@$X@
                                                                                                                                                                                                        • API String ID: 0-3736926933
                                                                                                                                                                                                        • Opcode ID: 7f64e865f7f4a1249e05c911e8112212018ac793eecce422d646f47d6b3e4f63
                                                                                                                                                                                                        • Instruction ID: 9e5ecd4a303e0fb20ca8b34526d6c55c3c654b07698dc0ad220724028cfce7fc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f64e865f7f4a1249e05c911e8112212018ac793eecce422d646f47d6b3e4f63
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8322035208380EFD710CF28D850B9ABBE1EB89314F44886DF989972A1C779D964CF96
                                                                                                                                                                                                        Function 0040ABD0 Relevance: 7.9, Strings: 6, Instructions: 399COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 01$:;:9$D5K3$ix{m$ix{m$(+
                                                                                                                                                                                                        • API String ID: 0-3596812826
                                                                                                                                                                                                        • Opcode ID: 9cd3b4ab762ac0f15ef662efafd6def723609712a160cbf966c1a7d08e6c7ec9
                                                                                                                                                                                                        • Instruction ID: ad21c3bd344a48bfb4a73be462667ecbb843fe0543ad0cbb586127da2dc0efed
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cd3b4ab762ac0f15ef662efafd6def723609712a160cbf966c1a7d08e6c7ec9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67C1F57160C3918BD314CF25849136BBBE2EBD2714F18893EE4D55B385D779890ACB8B
                                                                                                                                                                                                        Function 00405314 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: )U@$0$8$\T@$U@
                                                                                                                                                                                                        • API String ID: 0-3970378762
                                                                                                                                                                                                        • Opcode ID: 0e9885edc9f8d6cae01efb0a5cf744e73439e0410ba61d8b4f1db4fa3ca9ffd6
                                                                                                                                                                                                        • Instruction ID: 7e79068fffe3c5a897b4cea8b0710f0008fd7f6efec0186a8deb64cda66ac040
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e9885edc9f8d6cae01efb0a5cf744e73439e0410ba61d8b4f1db4fa3ca9ffd6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFC14536108380EFC704CF28C840A9FBBE1AF9A350F45892DF989972A1C775D964CF96
                                                                                                                                                                                                        Function 004191C0 Relevance: 6.1, Strings: 4, Instructions: 1121COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 66?0$;.52$UPFy$xOE
                                                                                                                                                                                                        • API String ID: 0-1870706378
                                                                                                                                                                                                        • Opcode ID: 18c8561cd7d7fb229ae245ba23d2a86500bdd362e8ce7b9de264fa9fa8e060ca
                                                                                                                                                                                                        • Instruction ID: 3d2ba766672ac900f993c017dcf2c771eb41809e640ec4888ea8893b1eaeed52
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18c8561cd7d7fb229ae245ba23d2a86500bdd362e8ce7b9de264fa9fa8e060ca
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA82F871604B418FC735CF29C490667BBE2BF95314B188A6EC4E68BB92D738F846CB54
                                                                                                                                                                                                        Function 00435B90 Relevance: 5.6, Strings: 4, Instructions: 635COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: 7654$InA>$InA>$f
                                                                                                                                                                                                        • API String ID: 2994545307-2881738411
                                                                                                                                                                                                        • Opcode ID: d605f38538db6074d5e530b4847f1ff462a404b0345db7e1326dc4c4e64c1085
                                                                                                                                                                                                        • Instruction ID: 4b377fe4127082f7f899b0062c912fc7b40c5a03a876d06767ce3b757bc4f1ea
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d605f38538db6074d5e530b4847f1ff462a404b0345db7e1326dc4c4e64c1085
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E22BF716083419FD714CF19C881A2BBBE2EBC9318F19DA2EF8958B391D739D805CB56
                                                                                                                                                                                                        Function 00413E43 Relevance: 5.6, Strings: 4, Instructions: 632COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: BA$87$D$hk
                                                                                                                                                                                                        • API String ID: 0-3566472913
                                                                                                                                                                                                        • Opcode ID: 8e288e5187b9b7019ad1f34c1857dd32e5308aa90613ebfe5bbe17040bfb381f
                                                                                                                                                                                                        • Instruction ID: 0bb0197b3179df227042db7a90dd5e74ebb2c2958fc83a1d6afc8b9712f1662b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e288e5187b9b7019ad1f34c1857dd32e5308aa90613ebfe5bbe17040bfb381f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7222DCB0908380CFD724CF10C891BABB7E2FFC5704F65895DE4854B6A0E77A9845CB8A
                                                                                                                                                                                                        Function 0041BA20 Relevance: 5.5, Strings: 4, Instructions: 471COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Cp$`a$m9W;${QRS
                                                                                                                                                                                                        • API String ID: 0-548374779
                                                                                                                                                                                                        • Opcode ID: d9a24f49ad47ce36f23becda2b42ca21b4c9b56673c732adb0708c27dc2d1faa
                                                                                                                                                                                                        • Instruction ID: df9053b2a18fb0214a239151870320eb078f68bb65dbcf686e56fb3c5a1783da
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9a24f49ad47ce36f23becda2b42ca21b4c9b56673c732adb0708c27dc2d1faa
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0D1DDB16083108BC728DF24C8923ABB7F1FF95354F188A1DE4D68B390E7389845CB96
                                                                                                                                                                                                        Function 00410800 Relevance: 5.4, Strings: 4, Instructions: 401COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 3$G$e$m
                                                                                                                                                                                                        • API String ID: 0-3517869609
                                                                                                                                                                                                        • Opcode ID: 5a1bbc012288a1aaeb2d165db3396f322a773d8644a4d24096f2727cdfba77dd
                                                                                                                                                                                                        • Instruction ID: 6ca01dcbffb865990e62c6241055c2ab274dcb814af705f8575a449ce3a84795
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a1bbc012288a1aaeb2d165db3396f322a773d8644a4d24096f2727cdfba77dd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0FF1B17160C3808BD7649B38C4853AEBBE1AFD5354F184A3EE4DAD7382D6B998818747
                                                                                                                                                                                                        Function 0042E155 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MetricsSystem
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4116985748-3916222277
                                                                                                                                                                                                        • Opcode ID: 747c708f0a95fce1c02f7329d90fa727584d72b7e15c384598c58c69720654f3
                                                                                                                                                                                                        • Instruction ID: f2e55fefbea8a23360d6bb0b3f41b8467427c048bb819bbe7ddceec4cf150d50
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 747c708f0a95fce1c02f7329d90fa727584d72b7e15c384598c58c69720654f3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E5190B0E152098FDB40EFACD981A9EBBF0BB48300F108529E498E7350D734AD45CF96
                                                                                                                                                                                                        Function 00409120 Relevance: 5.3, Strings: 4, Instructions: 286COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: (,Z.$>$IEKL$OMAL
                                                                                                                                                                                                        • API String ID: 0-3929568235
                                                                                                                                                                                                        • Opcode ID: 2ad8e3e654b181facc24ca0c5157e8edb422ddde28952d9d62ccd33a8d173bd4
                                                                                                                                                                                                        • Instruction ID: e7b96986d2d2391350b473428e2db3895d3966f58a6c98f5e98d3af16bbd35e9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ad8e3e654b181facc24ca0c5157e8edb422ddde28952d9d62ccd33a8d173bd4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7271A23010C3814BD7098F29856076BFFE1ABA7244F1845AEE4D69B3D3D73D890ACB66
                                                                                                                                                                                                        Function 00425C20 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: GKBs$SPE|$Xlyg$nLv(
                                                                                                                                                                                                        • API String ID: 0-1468041524
                                                                                                                                                                                                        • Opcode ID: 479433ab9f5eeea06050ca1b8f4cc2672fe6d126659695062b7b295ad961c63e
                                                                                                                                                                                                        • Instruction ID: 750dc403713d9a2d24ab26079c8a33d1649df7342106a188795dffcc18c3843a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 479433ab9f5eeea06050ca1b8f4cc2672fe6d126659695062b7b295ad961c63e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9071D0B4109B908AE335CF3595907A3BFE1AF53304F588A9DC1EB1B386C7396509CB99
                                                                                                                                                                                                        Function 00427CA8 Relevance: 4.7, Strings: 3, Instructions: 959COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: *xa$M[Qb$bLD>
                                                                                                                                                                                                        • API String ID: 0-2102486158
                                                                                                                                                                                                        • Opcode ID: 88cbc4dedf7ec3f49f8025247de3f824ddc52d9c1f177d2cc1a4dc638c3e4811
                                                                                                                                                                                                        • Instruction ID: 010dee38caf0e02e045f4878030130e67494d75c6393d06da19c6371d8d90647
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88cbc4dedf7ec3f49f8025247de3f824ddc52d9c1f177d2cc1a4dc638c3e4811
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F520B70209B918FE7258F35C4507A7BBE1AF67304F49899EC0DA8B783D739A40AC765
                                                                                                                                                                                                        Function 0043A140 Relevance: 4.5, Strings: 3, Instructions: 763COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: InA>$_^]\$l
                                                                                                                                                                                                        • API String ID: 0-4163300919
                                                                                                                                                                                                        • Opcode ID: 0e814e3b347c544d44808ef0f78fbc88f239283d67cbf1890fa64b44ce170b88
                                                                                                                                                                                                        • Instruction ID: 858690e8d63fa99ac0e87b0f8524cdd10d2822d41b3efea7335a6d3c93dd1b0f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e814e3b347c544d44808ef0f78fbc88f239283d67cbf1890fa64b44ce170b88
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 163204726483514FD319CA28C89176FBBE1EBC5314F19C93DE8E68B391D778D8068B86
                                                                                                                                                                                                        Function 00403E80 Relevance: 4.1, Strings: 3, Instructions: 395COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: )$)$IEND
                                                                                                                                                                                                        • API String ID: 0-588110143
                                                                                                                                                                                                        • Opcode ID: 4892d95840648c5e5c0f7c2752af8afe1eab022b6992c96ffeb36ae851de67e7
                                                                                                                                                                                                        • Instruction ID: a3a1cef7ff88a01ba17698b28792c78fdcb8cdbef9af48e1914c84a033cda1d9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4892d95840648c5e5c0f7c2752af8afe1eab022b6992c96ffeb36ae851de67e7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60E1B0B1A087029BD310DF29D88175ABBE4BB94308F14453EE994AB3C1D779E915CB86
                                                                                                                                                                                                        Function 00413A6E Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 2$9$gfff
                                                                                                                                                                                                        • API String ID: 0-4090575139
                                                                                                                                                                                                        • Opcode ID: 3ea12647cec853e25c2fe1add52e75354247907f3433cdc53c5e752fa0960f75
                                                                                                                                                                                                        • Instruction ID: 6f70ed631974d04635fc5e3bce78a5695cbc1c3eefb3aba151a961cf4c978559
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ea12647cec853e25c2fe1add52e75354247907f3433cdc53c5e752fa0960f75
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9517B716043518BD724CF28C8527FB77D2AF86305F48852EE4C6CB391EB399945C78A
                                                                                                                                                                                                        Function 004243E0 Relevance: 3.1, Strings: 2, Instructions: 581COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: _^]\$rDB
                                                                                                                                                                                                        • API String ID: 0-2749348832
                                                                                                                                                                                                        • Opcode ID: 85890b1e78fbacc4ec44377f8acd9a2e29b6f8137a54b3e800bf4c70ec9310aa
                                                                                                                                                                                                        • Instruction ID: a09265f2cd5342ecb4fc45ab45715e602867c98296b74053a9fbe85a7ded16db
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85890b1e78fbacc4ec44377f8acd9a2e29b6f8137a54b3e800bf4c70ec9310aa
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9025675E04160DFDB04CF68E8416AEB7B1FF8A310F1941A9E591A7392C7399D42CB98
                                                                                                                                                                                                        Function 004397F0 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: _^]\$_^]\
                                                                                                                                                                                                        • API String ID: 2994545307-2663747658
                                                                                                                                                                                                        • Opcode ID: ea3b36fcd4a836be20f2f17d5a8e9988483ed50c9321fa8e7d77b7bf27009523
                                                                                                                                                                                                        • Instruction ID: a13c203477869de950c504f0755c577730d1af4e49405374f9468e6fb33e9a8c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea3b36fcd4a836be20f2f17d5a8e9988483ed50c9321fa8e7d77b7bf27009523
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4A14E72A083505FE724DB25DC81BBBB6D2EBCD314F18953EE88693381EA789D40C746
                                                                                                                                                                                                        Function 00426C30 Relevance: 2.8, Strings: 2, Instructions: 293COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: &@>T$`d2c
                                                                                                                                                                                                        • API String ID: 0-676249644
                                                                                                                                                                                                        • Opcode ID: d02ff812c2dc755c304237697e756d99f6fef082746b9b036ca26442a1b21fdc
                                                                                                                                                                                                        • Instruction ID: 853588c490ebc4db6d15070953926ac571d5dec339bd4d806c779fe6d772d8f2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d02ff812c2dc755c304237697e756d99f6fef082746b9b036ca26442a1b21fdc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16A1AE74604B918FD7298F3AC0507A3FBE2AF56304F49896EC0EB87792D779A409CB15
                                                                                                                                                                                                        Function 0042724E Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 70$J,"
                                                                                                                                                                                                        • API String ID: 0-2761771848
                                                                                                                                                                                                        • Opcode ID: 5b2b09a193bb8b18eb74471c4e96c44cbac597829e1497d4b3f6156bc07c5394
                                                                                                                                                                                                        • Instruction ID: 7be19c03798ea79d9934db7ec0843340450ff74e8f3990f2f7e6b49d9c54ce2c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b2b09a193bb8b18eb74471c4e96c44cbac597829e1497d4b3f6156bc07c5394
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7991E270208B918BE3258F3594607A3FBE2AF53314F55894EC4EB8B782D779A005CB66
                                                                                                                                                                                                        Function 004272D4 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 70$J,"
                                                                                                                                                                                                        • API String ID: 0-2761771848
                                                                                                                                                                                                        • Opcode ID: 4b9172bb97e97fa30d40fcffd48450d098e961264a3214083439a6f7c747b4e3
                                                                                                                                                                                                        • Instruction ID: 13c0c05138027d79465b019c5c45dcc6e672cb8a09997c649579edeaa545dc7e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b9172bb97e97fa30d40fcffd48450d098e961264a3214083439a6f7c747b4e3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA91E370208B918BE3258F3594607B3FBE2AF53304F55995EC0EB8B786D779A005CB66
                                                                                                                                                                                                        Function 00427323 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 70$J,"
                                                                                                                                                                                                        • API String ID: 0-2761771848
                                                                                                                                                                                                        • Opcode ID: a61afa0e0a1c57712b3c231f12eafd65f534c95d69a5e0b53a1c77b4cef1f651
                                                                                                                                                                                                        • Instruction ID: 43c0dc859df8ce2253e23f61692162eab5309f207224ff58b3303d72c24f99fe
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a61afa0e0a1c57712b3c231f12eafd65f534c95d69a5e0b53a1c77b4cef1f651
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4791E270208B918BE3258F3594607B3FBE2AF53304F55995EC0E78B785DB79A005CB66
                                                                                                                                                                                                        Function 0041489E Relevance: 2.8, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .XFV$4
                                                                                                                                                                                                        • API String ID: 0-2182414623
                                                                                                                                                                                                        • Opcode ID: 379e2d0d14c46e3515bf396bb2548ff0c62cc32b4379d68099706ae14e688b58
                                                                                                                                                                                                        • Instruction ID: aeed6450675ba2fce122bd03c45f109c8dc44de7dfac63d0416cf21ca662847e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 379e2d0d14c46e3515bf396bb2548ff0c62cc32b4379d68099706ae14e688b58
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06716835A183E08BC7118F24D8907ABBBD1AFC6304F48882DE8D547392D73D9986CBD6
                                                                                                                                                                                                        Function 00427311 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 70$J,"
                                                                                                                                                                                                        • API String ID: 0-2761771848
                                                                                                                                                                                                        • Opcode ID: 3dd8770f24656ab3fe9583cb8b87f8f05e579e89c1cd5dab7fe7223b40ba52b3
                                                                                                                                                                                                        • Instruction ID: b2e54457bd02884b6339e914234832653533310c98399731a7d837d17ccda665
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3dd8770f24656ab3fe9583cb8b87f8f05e579e89c1cd5dab7fe7223b40ba52b3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8381D260208B918BE3258F3594607B3FBE2AF53304F59994DC0E74B686D779A005CB66
                                                                                                                                                                                                        Function 0040DFC0 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: K$t
                                                                                                                                                                                                        • API String ID: 0-621735856
                                                                                                                                                                                                        • Opcode ID: b9c28211623d105ac197771b1e615e7507543fa8d9735112a0fd741ee7399c90
                                                                                                                                                                                                        • Instruction ID: b924c7de33324fd84ad0c7427318b8d1b23034a9cc7cb24b4c78629769d5eaaf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9c28211623d105ac197771b1e615e7507543fa8d9735112a0fd741ee7399c90
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C61057260C7808BD7259A7AC8853ABBBD5ABD1314F184E3EE4DAD73D2D67C85028317
                                                                                                                                                                                                        Function 00426287 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 1.!9$lC-5
                                                                                                                                                                                                        • API String ID: 0-955562044
                                                                                                                                                                                                        • Opcode ID: 36bbf715707de8fc179c753c81f3adb2fa3e3d2104b14282a800f01f1e50f4c2
                                                                                                                                                                                                        • Instruction ID: 514c95e88863dd3a7a3a97e91ec26156b78912b8c88e09c8ca48e5decab37fb5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36bbf715707de8fc179c753c81f3adb2fa3e3d2104b14282a800f01f1e50f4c2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D451D6B1204BD18AD7368F3595A03E3BFE19F63204F5984AEC6E75B247C63864078769
                                                                                                                                                                                                        Function 00426223 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 1.!9$lC-5
                                                                                                                                                                                                        • API String ID: 0-955562044
                                                                                                                                                                                                        • Opcode ID: 26713d8f632589936e406d347d1ee3b9a5a6c501da0365e12dbaa7b709ad7ccf
                                                                                                                                                                                                        • Instruction ID: bb94cbbde2a596cc5017b633e8eb6fb3f3c0b868ea17cad74571c6bacdf6520b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26713d8f632589936e406d347d1ee3b9a5a6c501da0365e12dbaa7b709ad7ccf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B451E7B12047D18AD735CF3595913E3BBE19F93204F4984AEC6E79B347C63864068729
                                                                                                                                                                                                        Function 00416D13 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 2$92
                                                                                                                                                                                                        • API String ID: 0-2188500272
                                                                                                                                                                                                        • Opcode ID: 1b368be5706957e56e0f7e34821662ebf02a73a5da1fc54ba98d572a87a6fab9
                                                                                                                                                                                                        • Instruction ID: c6f4ea336b335b6e496916b4a8ac6001150761c5a1ef2565f23019958618a889
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b368be5706957e56e0f7e34821662ebf02a73a5da1fc54ba98d572a87a6fab9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F051CF7160C3808FD3058F24D8903ABBBE1AFD7318F089A6EE4D157282C279C946CB5B
                                                                                                                                                                                                        Function 004261F5 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 1.!9$lC-5
                                                                                                                                                                                                        • API String ID: 0-955562044
                                                                                                                                                                                                        • Opcode ID: 7894484cabc66f14eb6f4e0ab7f7413e55dc2ffffe737b6f552b5bd015a07555
                                                                                                                                                                                                        • Instruction ID: 4168dc82b4f2739d19c497d55cfc0f2102822e6ba54f8f4f153eee108f50cdfe
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7894484cabc66f14eb6f4e0ab7f7413e55dc2ffffe737b6f552b5bd015a07555
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2941D3B1204B918AD7358F3591613F3BBE29F53204F59886EC6EB5B387C73864078B59
                                                                                                                                                                                                        Function 004217C2 Relevance: 1.7, Strings: 1, Instructions: 497COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: u
                                                                                                                                                                                                        • API String ID: 0-274620953
                                                                                                                                                                                                        • Opcode ID: 4df306f4cd1d169dc838ba075f539e3d0019bb019eeea896d235b1f32e477a9a
                                                                                                                                                                                                        • Instruction ID: f4351926ea80f6d41031f7a8d3d64521a055b2e885096f53dfa75b8fcbf26a91
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4df306f4cd1d169dc838ba075f539e3d0019bb019eeea896d235b1f32e477a9a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77E136B5608351CFC700CF24D89166BBBE1AFAA304F58486EF4C59B352D379D806CB5A
                                                                                                                                                                                                        Function 0041D090 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CoCreateInstance.OLE32(0043E5B0,00000000,00000001,0043E5A0), ref: 0041D0B9
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateInstance
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 542301482-0
                                                                                                                                                                                                        • Opcode ID: 682db8193562440f5feba1497e93b3653fd9ea8c6f33e6163ee6bd87fe31ae7f
                                                                                                                                                                                                        • Instruction ID: 6dadc00c3018e868f1a0ea15977adeaad7d44dad6675e8d31bd1b26d5e93d24f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 682db8193562440f5feba1497e93b3653fd9ea8c6f33e6163ee6bd87fe31ae7f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B151C0F1A00214ABDB209B64CC82BA773B4EF85358F148559F9958B391F379D881C76A
                                                                                                                                                                                                        Function 0041D2F0 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: dc
                                                                                                                                                                                                        • API String ID: 0-2498989246
                                                                                                                                                                                                        • Opcode ID: 64f308c92793f734fdb8bc6fe7356cb0b55b865044581c5b299462e529871da7
                                                                                                                                                                                                        • Instruction ID: 6dc162b70d4a0d2cac803bea5586a589b4eaedc5368ab72ad50fe953595485a8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64f308c92793f734fdb8bc6fe7356cb0b55b865044581c5b299462e529871da7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6C1F6B2A043109BD7149F24CC827ABB7E1EF95318F19853EE8C99B381E67CDD418796
                                                                                                                                                                                                        Function 00421110 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: _^]\
                                                                                                                                                                                                        • API String ID: 2994545307-3116432788
                                                                                                                                                                                                        • Opcode ID: e374081adec2596d3cd74ed6a0b43ae1cdc793a9ec5e7d9f4e7c984339d5d2c2
                                                                                                                                                                                                        • Instruction ID: 35cdc045fa31dd8676c1c6913c6d55f0ddc615e4255ceb1979fb58d537812611
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e374081adec2596d3cd74ed6a0b43ae1cdc793a9ec5e7d9f4e7c984339d5d2c2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26C18B727083509BEB10CE64D88136B77D2EFA5344F99853EE8868B3A1D23DDD06C385
                                                                                                                                                                                                        Function 00425350 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: "
                                                                                                                                                                                                        • API String ID: 0-123907689
                                                                                                                                                                                                        • Opcode ID: 640a6d397796fa19eda59b5c7c935865eb69704b522dae44ebc055bf3c6d1283
                                                                                                                                                                                                        • Instruction ID: c833f6f81037c630123e74c2c2654e886f2918f1005ced3ed5211264c2fe3f01
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 640a6d397796fa19eda59b5c7c935865eb69704b522dae44ebc055bf3c6d1283
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40D12572B08720AFC714DE24E44076BB7E6AFC4314F98896EE8998B381D778DD4587C6
                                                                                                                                                                                                        Function 0040CAA7 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: )[-
                                                                                                                                                                                                        • API String ID: 0-2950843958
                                                                                                                                                                                                        • Opcode ID: 262176cec828842de2b1e8f5f302cb609211da322d4ee696f27cf1b0fefff00a
                                                                                                                                                                                                        • Instruction ID: 0556b1aee597c263416b88f1653f6a980aac45701358d3d4f99f08ef886d0951
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 262176cec828842de2b1e8f5f302cb609211da322d4ee696f27cf1b0fefff00a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59B1E7B664D3818BE338CF25D8917DBBBE2ABD1304F18892DD4C997341DB794446CB92
                                                                                                                                                                                                        Function 00436340 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: o
                                                                                                                                                                                                        • API String ID: 0-252678980
                                                                                                                                                                                                        • Opcode ID: 1e6ed8efbb8726892791fd54278dc603ad4e576cc627a129a51e622989dc521e
                                                                                                                                                                                                        • Instruction ID: 719c7f1e51893838f80ee444bdbf9069eefeb1c6db232665ff7f2d5a59f26144
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e6ed8efbb8726892791fd54278dc603ad4e576cc627a129a51e622989dc521e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3A1C43160C3925FC715CF28C49062EBBE2ABD9214F19C66EE9E54B392C638D8468B56
                                                                                                                                                                                                        Function 004265B4 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: ddTz
                                                                                                                                                                                                        • API String ID: 0-3034176710
                                                                                                                                                                                                        • Opcode ID: e397cd97e300499b981fbdbe44b81acde5b1e8312a6deeb103023944287527ef
                                                                                                                                                                                                        • Instruction ID: 9645439365ba7759f8e61c31a737711ce6c868c36132e140412ed4b9ee18268b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e397cd97e300499b981fbdbe44b81acde5b1e8312a6deeb103023944287527ef
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74911575609B818BE329CF35D4607A3BBD2AF92304F19896DC0E74B796CB786409C715
                                                                                                                                                                                                        Function 004134B9 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: F7A
                                                                                                                                                                                                        • API String ID: 0-445315410
                                                                                                                                                                                                        • Opcode ID: 0e160b08cfa82317605574b46c39f02fba21916364b617079a377a1d06467cb5
                                                                                                                                                                                                        • Instruction ID: cf92ca99fa68dc6f54dabf7ec89121568c846c6843458505517b19389f836b84
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e160b08cfa82317605574b46c39f02fba21916364b617079a377a1d06467cb5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D6111B6900104DBCB148F54DC926BA73B2FF4A315F09407AE9469B3A1EB399A41C798
                                                                                                                                                                                                        Function 0042662A Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: ddTz
                                                                                                                                                                                                        • API String ID: 0-3034176710
                                                                                                                                                                                                        • Opcode ID: d87243c89f44b95bc625f34622e017969b2033f1917e39f2071915c98d8e4866
                                                                                                                                                                                                        • Instruction ID: d5d0dbab8c74d4f3d3496bfdcc284759fe10a40fe82cb1f6c7f2f4d2fd3d7d92
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d87243c89f44b95bc625f34622e017969b2033f1917e39f2071915c98d8e4866
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 008129B5609B818FE3298F35D4507A3BBD3AF92304F19996DC0EB4B786CB792409CB15
                                                                                                                                                                                                        Function 0043CB10 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: &'&!
                                                                                                                                                                                                        • API String ID: 0-380169441
                                                                                                                                                                                                        • Opcode ID: 6da2f45677e96b8509cee491866d686aa8dde9103b5cc56643c97b7edf89bfb3
                                                                                                                                                                                                        • Instruction ID: 8dc187566cd441687ff9a8169124d271b03dd512c24ac4ed10003a1bcb2fdf12
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6da2f45677e96b8509cee491866d686aa8dde9103b5cc56643c97b7edf89bfb3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B98129716083008FD728DF14D8D262FB7A2EB99704F18943EE996AB392D7799C42C785
                                                                                                                                                                                                        Function 0043C820 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: _^]\
                                                                                                                                                                                                        • API String ID: 2994545307-3116432788
                                                                                                                                                                                                        • Opcode ID: da667db4a39542b447bb8a383e0facb1da750c0e8f46a7e9d8f0ba1feddb2e93
                                                                                                                                                                                                        • Instruction ID: 77fddf45409238a6330d2c07ebd2f8b4cfbe4e538f21c68de20fef145e42c7e4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: da667db4a39542b447bb8a383e0facb1da750c0e8f46a7e9d8f0ba1feddb2e93
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7781D1756083118FD728DF18C89172FB7E2BF89B04F19952EEA91A7351D73A9C01C78A
                                                                                                                                                                                                        Function 0043C550 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: _^]\
                                                                                                                                                                                                        • API String ID: 2994545307-3116432788
                                                                                                                                                                                                        • Opcode ID: e797ab37a48017eaf66e453b73e14609300fb6e6f3b03617715b1f467df35665
                                                                                                                                                                                                        • Instruction ID: 087665565ccb988c745eedd2d2c165b4f4ffc223757195429b056c74e0bc1af3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e797ab37a48017eaf66e453b73e14609300fb6e6f3b03617715b1f467df35665
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD81D1756093029FD314DF18C891A2BB7E2FF99704F14A42DE981AB391E779DC41CB8A
                                                                                                                                                                                                        Function 0040C660 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: wjB
                                                                                                                                                                                                        • API String ID: 0-2839479382
                                                                                                                                                                                                        • Opcode ID: b0029bcb803b156075b8a88aecfb3b8b5e20aaa268ef1a716cf354f8135cbd3e
                                                                                                                                                                                                        • Instruction ID: b19c9136c96d45d2d10f59b51c2f9f67d2b71ca7cc513b27ccf0f535ecc8c14d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0029bcb803b156075b8a88aecfb3b8b5e20aaa268ef1a716cf354f8135cbd3e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05714779A047128BD724CF65C8A077BB7B2FF85310F18466CD886A7B94D7386C01CB94
                                                                                                                                                                                                        Function 00406030 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: ,
                                                                                                                                                                                                        • API String ID: 0-3772416878
                                                                                                                                                                                                        • Opcode ID: aaed150bb82fc082591a30d3d92779d3d63a3254683d8add21739c26ebc5fe73
                                                                                                                                                                                                        • Instruction ID: cf44940ec09ec5710f3ff4887265c9d854496e9d7bb13b8d707c634df8c909a2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: aaed150bb82fc082591a30d3d92779d3d63a3254683d8add21739c26ebc5fe73
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFA168701093819FD325CF28888475BBBE0AFA6704F444E6DF5D697782C235EA18CBA7
                                                                                                                                                                                                        Function 0042CF50 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0042D18F
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                                                                                                                                                                        • API String ID: 0-2471034898
                                                                                                                                                                                                        • Opcode ID: b8d82d911938f1e99b246634b8c5c3d703c255e6922f1bc4f990289ba3cdca5b
                                                                                                                                                                                                        • Instruction ID: 36b84407b901d00a7a5252caa1ed1c4715d6659fc89ad844616cd03515aa702e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8d82d911938f1e99b246634b8c5c3d703c255e6922f1bc4f990289ba3cdca5b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A71F933B599A047D328893D6C52376AA834FD2334F7DC76FE5B2873E5D56D88028245
                                                                                                                                                                                                        Function 0043C2C0 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: _^]\
                                                                                                                                                                                                        • API String ID: 2994545307-3116432788
                                                                                                                                                                                                        • Opcode ID: a571d1be404e1f08bc8a7313e55f29f4dd16018b4a807cea56742d529abf8af1
                                                                                                                                                                                                        • Instruction ID: cc57332896f0130f5977f7efff618a5c0d4e6fe7051ff026ef6d93df9d7d7b48
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a571d1be404e1f08bc8a7313e55f29f4dd16018b4a807cea56742d529abf8af1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6610071608350AFD7209B18C891A2FB3E2BBD9714F18E82DE981AB351D779DC01C78A
                                                                                                                                                                                                        Function 00415F53 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: jbA
                                                                                                                                                                                                        • API String ID: 0-3960598471
                                                                                                                                                                                                        • Opcode ID: b9b5a3ac085f5a1691bd6daf418e957a988f4ae27432d0f57df425425620ac0f
                                                                                                                                                                                                        • Instruction ID: db44bc33e7af0f8b4a4db277598881bca5fe3c8f0b2343b601fa3f4cd053466b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9b5a3ac085f5a1691bd6daf418e957a988f4ae27432d0f57df425425620ac0f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0571C0756083508BC334DF24C8916EBBBA2FFA6314F098A5DE4C96B395D7399841CB86
                                                                                                                                                                                                        Function 0042B5D0 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: ]
                                                                                                                                                                                                        • API String ID: 0-3352871620
                                                                                                                                                                                                        • Opcode ID: 913bb8ef42a16c41a440abbe83b1444aa65c258cce41ba532c27902f81d2690c
                                                                                                                                                                                                        • Instruction ID: 6634a12e16afe688d4386410b99d1ab5ca8bf234437bbb73ec74557fea6a1a0c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 913bb8ef42a16c41a440abbe83b1444aa65c258cce41ba532c27902f81d2690c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7261792774A6F047D328953C6C6137AAB838BD2330F6C876EE5F6473D1D65E4802839A
                                                                                                                                                                                                        Function 004201AA Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: C
                                                                                                                                                                                                        • API String ID: 0-3545381514
                                                                                                                                                                                                        • Opcode ID: 3687ccba7aff9ab44e9ed2f009a075a51a1e35b7b720164f8bc8bd165f0da1cc
                                                                                                                                                                                                        • Instruction ID: 561960fc1ffddb2cf5c42d35344f0a488b31ad25386fd9678117d01e0f2b6c9d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3687ccba7aff9ab44e9ed2f009a075a51a1e35b7b720164f8bc8bd165f0da1cc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 605166317483658BD724CE2894913ABBBE1DF55350F88493FC8DA87382D33C9905D35A
                                                                                                                                                                                                        Function 0042D3E0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0042D59F
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                                                                                                                                                                        • API String ID: 0-2471034898
                                                                                                                                                                                                        • Opcode ID: 1f6a8292faa73ce4b455a8a65e96ae5a182bcb526d2c35b642eb1078a67cd563
                                                                                                                                                                                                        • Instruction ID: 4206373431846ebab47a34911e0df16dc30a981f669adf9c174535d93f865479
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f6a8292faa73ce4b455a8a65e96ae5a182bcb526d2c35b642eb1078a67cd563
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78511E27F0E5A14BD728993C6C213B66A834B92334F7C876BE5F2873D1D5598842534A
                                                                                                                                                                                                        Function 004239DA Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: ?4
                                                                                                                                                                                                        • API String ID: 0-2815646878
                                                                                                                                                                                                        • Opcode ID: cf33f087fb2ad680b810469a77e67d8ffbbc7c609edd3493ff72ec920e18273b
                                                                                                                                                                                                        • Instruction ID: 7f1d1d63a8c8d16b271d94c43b8b7a3a1ae22715876deced83f0ff6f1e4be608
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf33f087fb2ad680b810469a77e67d8ffbbc7c609edd3493ff72ec920e18273b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 015149B16083414FC714CF28D8916ABBBF1EF92309F54892EE0E687392D739D946CB46
                                                                                                                                                                                                        Function 0042375D Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: ?4
                                                                                                                                                                                                        • API String ID: 0-2815646878
                                                                                                                                                                                                        • Opcode ID: 25de790edfec94b1983c5b8439b80be483538447bc1d25dce78dece889c5d6e3
                                                                                                                                                                                                        • Instruction ID: cf0eb331042b43f661f656a9d85aef7f3587a946b27b9970ca873f973ba6dce2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25de790edfec94b1983c5b8439b80be483538447bc1d25dce78dece889c5d6e3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D5137B16083418FC714DF24D8916ABBBF1AF82304F54892EF4E68B292D73DDA45CB46
                                                                                                                                                                                                        Function 00433120 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 7654
                                                                                                                                                                                                        • API String ID: 0-4024152101
                                                                                                                                                                                                        • Opcode ID: f864954007f6339f9f5b42d24c76acd67d0c5bce2848a395b06f0e698bf27e5d
                                                                                                                                                                                                        • Instruction ID: a33ac2150db0bbfabec2395e9ffcf73333e9e633cd4975fd1e046398470f3a58
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f864954007f6339f9f5b42d24c76acd67d0c5bce2848a395b06f0e698bf27e5d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC317775B042016BEA10AE259C42B3B72A9EFC8719F14557EF88497382E639DD01879A
                                                                                                                                                                                                        Function 0043C190 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                        • API String ID: 2994545307-2766056989
                                                                                                                                                                                                        • Opcode ID: 0ea444a8d03a1c6b0cc4cf306de7427186ad420969cfd9eb8769317261b7f7ed
                                                                                                                                                                                                        • Instruction ID: c733239a3cf86436cc40328ecbe23a879981ba137e0409ea7b00d6ae1741a00e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ea444a8d03a1c6b0cc4cf306de7427186ad420969cfd9eb8769317261b7f7ed
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6131F1B15083048FC314AF98C8C122FBBF5FB89318F14982EEA9467350D37989088B9A
                                                                                                                                                                                                        Function 0040D902 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: _.C
                                                                                                                                                                                                        • API String ID: 0-2087954841
                                                                                                                                                                                                        • Opcode ID: e6ef70867ecc8963f74ea49f14bed82e1b6bf96cd9bf9325d49df252bd279d35
                                                                                                                                                                                                        • Instruction ID: 71b7a9cd8bd4ae3e7fc0407013f31986a6f47654235fdeafd60d130d3ca0296e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6ef70867ecc8963f74ea49f14bed82e1b6bf96cd9bf9325d49df252bd279d35
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C501F53065C3404BD304DF61849177F77A19F9A714F04462DF9896B3D2CB798805C79E
                                                                                                                                                                                                        Function 0043AAD0 Relevance: .9, Instructions: 940COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b932132559dde93ced4824732e5ce363f5a15df7294d78dd22a652d5a0a09a36
                                                                                                                                                                                                        • Instruction ID: ba6c79838bb6f113dd80269b5e4e7d670090686d676207d1c89843d3b161523b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b932132559dde93ced4824732e5ce363f5a15df7294d78dd22a652d5a0a09a36
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5C52143AA08751CFDB08CF28D89066BB7E1FB8A314F09897DD58697392D734E941CB85
                                                                                                                                                                                                        Function 0043ABF0 Relevance: .9, Instructions: 907COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ba3148923ade48157f71a424181c8f313985f4b962db5206ad9d65e78fbcecfe
                                                                                                                                                                                                        • Instruction ID: 81f0a47ae1bf1a30a154d890e3d81da84714765b1706f8e567feacf14954c5ba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba3148923ade48157f71a424181c8f313985f4b962db5206ad9d65e78fbcecfe
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7052143AB08751CFDB08CF28D89166AB7E1FB8A314F09857DD98697392D734E901CB85
                                                                                                                                                                                                        Function 00407630 Relevance: .9, Instructions: 868COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: bb3a1d51d4578da5e7db0da5c95c998ea3edf1d1e265cea01983f427a6a55d08
                                                                                                                                                                                                        • Instruction ID: 76b954d58a210406bd684517891ff167f1feacc3e8b2caa9141981547fc9d456
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb3a1d51d4578da5e7db0da5c95c998ea3edf1d1e265cea01983f427a6a55d08
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C852B431A0C6118BC7259F18D4402BBB3E1FFD5319F298A3ED9D6A7280D739B855878B
                                                                                                                                                                                                        Function 0043AFF0 Relevance: .7, Instructions: 687COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b8a95f51effcf0e13f49fdba4c31a391a42419dd01038c978ec973bdb6e217c5
                                                                                                                                                                                                        • Instruction ID: 74d6ea4ad19231849f4d5ec3b3efd8538b15745177b7d5bc417636be22e116fa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8a95f51effcf0e13f49fdba4c31a391a42419dd01038c978ec973bdb6e217c5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9C12003661C751CFC708CF28D8A176AB7E1EB8A314F09997DD58687392D738D801CB89
                                                                                                                                                                                                        Function 0041A5E0 Relevance: .7, Instructions: 678COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: cabc4fa04adb2067717f65b1f24bbcea40a7e44ce56fc5340aef09d937cce95e
                                                                                                                                                                                                        • Instruction ID: fa6be7caf31bbe31e583ef48f09a1af4367de4829a62844f5d376ddb5fc6ecc7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cabc4fa04adb2067717f65b1f24bbcea40a7e44ce56fc5340aef09d937cce95e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73628DB1518BC18EE372CB3C8805793BFD56B1A324F088A9ED0EA873D2D3796545C766
                                                                                                                                                                                                        Function 00406B20 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0398a18b8dfe2e1fdd80c3eced424af0662fb0a518a9ffb975128782eb54fd77
                                                                                                                                                                                                        • Instruction ID: 86850285da958daa688e634b9d0a6ad94dffcb3389d859ff7d9861b0d5e8b817
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0398a18b8dfe2e1fdd80c3eced424af0662fb0a518a9ffb975128782eb54fd77
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1152AFB0A08B848FE7358B24C4847A7BBE1AB91314F15493FD5E716BC2C37DA885C75A
                                                                                                                                                                                                        Function 00402A80 Relevance: .7, Instructions: 669COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3958fa3dcb395489a25c1e100c3abf6f7a8e5e1376c1a8b06d8b2ffd2c27286b
                                                                                                                                                                                                        • Instruction ID: 1cf0ddf549a6b9c0cd258c83d4546b09541b82d8ba8380053450828b87629e1d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3958fa3dcb395489a25c1e100c3abf6f7a8e5e1376c1a8b06d8b2ffd2c27286b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8252D6315083458FCB15CF24C0906AABBE1FF89314F198A7EE8D96B381D779E949CB85
                                                                                                                                                                                                        Function 0043AF30 Relevance: .7, Instructions: 662COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 30f3afdea6a098165f5552f68ff6c836309deb3d886d694b10dac7aa939717b8
                                                                                                                                                                                                        • Instruction ID: 51db0049775964ee10586154a26263e61aaecabc8eb00eef94e7e7d248730d13
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30f3afdea6a098165f5552f68ff6c836309deb3d886d694b10dac7aa939717b8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24120236718751CFCB08CF28D89162AB7E1EBCA314F0A897DD98597352D734E841CB89
                                                                                                                                                                                                        Function 00403490 Relevance: .6, Instructions: 628COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 56843971dd54487d5077fbbb61f5aa0319abfef2be9cdcd5d6915a45ede05b67
                                                                                                                                                                                                        • Instruction ID: 655400b964e5d6b111efbe23e95bf53bc8b155411e80a695dd46c829c3a2f522
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 56843971dd54487d5077fbbb61f5aa0319abfef2be9cdcd5d6915a45ede05b67
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F4246B1614B108FC338CF29C690526BBF5BF85711B504A2ED69797B90D73AF941CB18
                                                                                                                                                                                                        Function 00433400 Relevance: .4, Instructions: 444COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 01a3724febffc22af5c68f45ce013e42891f21285806263614d0ae5837037e54
                                                                                                                                                                                                        • Instruction ID: 2c21260f15878f5cf04b5222ea27a6691da085b774fa7a699a4f7ea192bcc3fa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01a3724febffc22af5c68f45ce013e42891f21285806263614d0ae5837037e54
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BCD1E339628712CBC7189F38E85226BB7E1FF8B351F0A987DD082872A4E73DC951C655
                                                                                                                                                                                                        Function 00405B10 Relevance: .4, Instructions: 424COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c19e93527ae37752e38ae46a700c9a56337b548a180afcd7a4d1f94e899bf479
                                                                                                                                                                                                        • Instruction ID: 8b8ee52b17e80dcbe906598ba8c2030f2f015000fbfcbdd8a3d4467f75f70f22
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c19e93527ae37752e38ae46a700c9a56337b548a180afcd7a4d1f94e899bf479
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0F1C0311087418FC724CF29C981A2BFBE2EF99304F04892EE5D557791E779E944CB9A
                                                                                                                                                                                                        Function 0043B360 Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 438cf2edb6ca430c3b32c742c84c18d859576f4fd1b85e4487d624bf9f32b7b4
                                                                                                                                                                                                        • Instruction ID: ce8b44183fe3be79882a2c57ce8dffdcd027368aa2fa6a41af8e9c7b231f9e76
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 438cf2edb6ca430c3b32c742c84c18d859576f4fd1b85e4487d624bf9f32b7b4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8C10036608755CFDB089F28D89036AB7E1EBCA314F09987DD98697392D735D801CB89
                                                                                                                                                                                                        Function 004231C0 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6c042fa13678696749b42057ffad9eae4384aaea0b8cc45e75453d4004ef7366
                                                                                                                                                                                                        • Instruction ID: afc6a209b5bf0fad00d8eb0cec04e098badf54672ff6522a6cd28f18c42e2ba3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c042fa13678696749b42057ffad9eae4384aaea0b8cc45e75453d4004ef7366
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0CC1FF726083118FD724CF24D89076FBBE1EFC5714F44892DE8999B291E7788A09CBD6
                                                                                                                                                                                                        Function 00406680 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 418b9174d0a95352e482079c4a2bcf42d2296a6f235d4f05389256c17d33156d
                                                                                                                                                                                                        • Instruction ID: 40fc7e6a6863a70241d7234278c7bdb5b0a593c9d380da34c5ae374faa4b60df
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 418b9174d0a95352e482079c4a2bcf42d2296a6f235d4f05389256c17d33156d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0C169B2A087518FC320DF28C856BABB7E0AF85318F09893DD5DAD7342D738A555CB46
                                                                                                                                                                                                        Function 0042A6D5 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1dd735aa92de384b2b61196820cc6f1d6e5b986f8735fa5e705b7e66fbf8f9ad
                                                                                                                                                                                                        • Instruction ID: b065995edc2037c3bd77b1918f9114f88e2110f4e3a95b0c075b470a8bbe979a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1dd735aa92de384b2b61196820cc6f1d6e5b986f8735fa5e705b7e66fbf8f9ad
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6CB16976B04B408FD3159F38D891766BFE2AFD6314F09857DC8DA8B392D639A406CB02
                                                                                                                                                                                                        Function 004292AE Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 00b8d15f00c32a99ab4cad742ccfe95e494821f68e19d958824578c6acec4fca
                                                                                                                                                                                                        • Instruction ID: c2b27f8f9b9d4d2eda323015b609bdb41a300a41b14f1a02f7bf8417064861db
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00b8d15f00c32a99ab4cad742ccfe95e494821f68e19d958824578c6acec4fca
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBB13572704B408FC3159F38D891796BFE2AF9A314F19857DC4DA8B792D639A806C706
                                                                                                                                                                                                        Function 00419E60 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c7f2423f99d8e18eda29235c528bc4b091663490199094de37e861c1f0ecea40
                                                                                                                                                                                                        • Instruction ID: d59155efd4a6abbdb0dac5c10b424a074a9e1cbc28c604a18c502cf8862a2e07
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7f2423f99d8e18eda29235c528bc4b091663490199094de37e861c1f0ecea40
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CBA1153160D3528FC315CF28C89056EBBE1AF99314F18867EE4E48B392D739D985C79A
                                                                                                                                                                                                        Function 00439BE0 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8dfc520a1cc3bb9d2a0d4b8e2cc3b9bd81267eae3064061dabde1fe6719caaa9
                                                                                                                                                                                                        • Instruction ID: cc9474e18761b69cfbc605783cc3eb705971a69e86c6600b825efed3f3ad06b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8dfc520a1cc3bb9d2a0d4b8e2cc3b9bd81267eae3064061dabde1fe6719caaa9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9281F773A042106BE714DA29CC42B6B76D9ABC8318F08593EFD99D7381FA78DC058796
                                                                                                                                                                                                        Function 00435460 Relevance: .2, Instructions: 245COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: ee0e9eed768b5bf4a6fe896459293220cc7a8d57d7edf62772ac14cf9bf6f9b4
                                                                                                                                                                                                        • Instruction ID: 5e97add4328e8d509adfb68d4a19aa7d243652ec0f909c56782d7d6abd6984d1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee0e9eed768b5bf4a6fe896459293220cc7a8d57d7edf62772ac14cf9bf6f9b4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1715A76A04B108FD7149F18CCD177BB792EB89324F4A512EE8D95B3A1C739AC02C786
                                                                                                                                                                                                        Function 00434F70 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 6ac5d2307720ef10cee1d3e37ea176b8beaced236f038b174dd6b0aed7f169da
                                                                                                                                                                                                        • Instruction ID: 72b77d10704dd0d7aa672f27026a7679e6cc042c310a12ae692275350aadc6a6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6ac5d2307720ef10cee1d3e37ea176b8beaced236f038b174dd6b0aed7f169da
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25615977E04B108FD7208F18CC4172BB7A2ABD9718F1E912EDC955B391D63AAC0187D9
                                                                                                                                                                                                        Function 004166D0 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 014480419a9b256ceb61e059f15a513c1d188164f3401fcda3c1b92c88b85e19
                                                                                                                                                                                                        • Instruction ID: 1df60c502d955a6baf01642fa007087b4d374d37b61c5992207a6e7207d8eef3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 014480419a9b256ceb61e059f15a513c1d188164f3401fcda3c1b92c88b85e19
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6181181661564009D72CDF3588933376AE69F94308F1CD1BFDA99CF6DBEA38C1028749
                                                                                                                                                                                                        Function 0042411F Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5843c40e7056d9cccb4dd715a94c82e5e98caff923da071b5cd8b2569a7c961b
                                                                                                                                                                                                        • Instruction ID: b5fe1401950397798b0e4868e89b9d0fa3007d6d3d01e192a20591cb3645c175
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5843c40e7056d9cccb4dd715a94c82e5e98caff923da071b5cd8b2569a7c961b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C78100B5A403259FDB10DFA9D886B6E7E74FB4A720F0141ADE505AF3A2C7748802CBD5
                                                                                                                                                                                                        Function 00418F70 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 186fb7d866e8dd2a76edfe15a688058e2d556715066b9f1141b02d4f049983fe
                                                                                                                                                                                                        • Instruction ID: 73a49a8c8688a65f4d2a2e646f02b559df588f3d4c737fd938e6d142e0aada3f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 186fb7d866e8dd2a76edfe15a688058e2d556715066b9f1141b02d4f049983fe
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E612833B1AA914BD7148D3C4C542E6AA531BE7330B3D837BD9B68B3D6C92A8C438355
                                                                                                                                                                                                        Function 004225A5 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7ec95c79cd8cc300b02046cb5365009cc36f4bcbcc9a7bb27621ce693ffe49f5
                                                                                                                                                                                                        • Instruction ID: 1a8f7ff1e2b4092b153aa7a23144106be23e6411c362154432423684ff2431da
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ec95c79cd8cc300b02046cb5365009cc36f4bcbcc9a7bb27621ce693ffe49f5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24510B72F10A254BCB19CF6CD89067EB2E2AFC8300B59827DD916AB385DB74AD01C7D4
                                                                                                                                                                                                        Function 00431AB0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8d7870ff978f0552d92d13cb2eced5db31d90ee0d29bfad68c276683313256f5
                                                                                                                                                                                                        • Instruction ID: 1281712bd1f2abd7efee1fb243ab0fc73d5f3a3bd5647f4ccf167b82e885d6ce
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d7870ff978f0552d92d13cb2eced5db31d90ee0d29bfad68c276683313256f5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A515DB16087548FE314DF29D49435BBBE1BBC8358F054E2EE4E987351E379DA088B86
                                                                                                                                                                                                        Function 00426022 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 9c68aa2539233c699e9ef1ae3a89736f5a2e2ebf3830b38f8233d2ab1984ffb1
                                                                                                                                                                                                        • Instruction ID: cf57c3f341d315790e1bc4c7b497c353ce667712a65f50353881a5a69b1deb5e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c68aa2539233c699e9ef1ae3a89736f5a2e2ebf3830b38f8233d2ab1984ffb1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B451E0B46047918BE3218F29D4607B3FBE0AF62301F28498ED5E787342D778B915CB26
                                                                                                                                                                                                        Function 0040D0E2 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ClipboardOpen
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2793039342-0
                                                                                                                                                                                                        • Opcode ID: ca4c6ccea79603fc7aecd039aa70d8e869a50e63e8a4dbd5198dd36fec3feb8e
                                                                                                                                                                                                        • Instruction ID: a8386669170c1a827759157fcc4ea954149f79e2fdb8dce214baf2531f05c25a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca4c6ccea79603fc7aecd039aa70d8e869a50e63e8a4dbd5198dd36fec3feb8e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E5128A6A5879047E325B6225C1279F75869FD2308F08443EF48963383DF7D5A49829F
                                                                                                                                                                                                        Function 004395F0 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1c70d9c45191b93b0433d17e224597ee8a29511e9bdc43a8f231dd1e847c5eeb
                                                                                                                                                                                                        • Instruction ID: f97c32e10673494defa8155cf9be7520c7f20da070703afd7d07584243869708
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c70d9c45191b93b0433d17e224597ee8a29511e9bdc43a8f231dd1e847c5eeb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F5198327592105BD7189E29CC91B3FB293EBC9724F2D823EE896573D5CA789C02C384
                                                                                                                                                                                                        Function 00428A40 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3ff4a80f9d34e9e36ceb7665977974238233f5f7b6a81a3db7564908c82bec2b
                                                                                                                                                                                                        • Instruction ID: 184a9edea63ee326f63cffa975733085abbfd1575cd55f4bcae17c0d6fadc007
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ff4a80f9d34e9e36ceb7665977974238233f5f7b6a81a3db7564908c82bec2b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A41A162B493614FD714CB28C89127BBF82CF92360F4E837ED5560B3D2CA18A909D395
                                                                                                                                                                                                        Function 004390A1 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: bb7899ad91b1f3e17a07e3132403b735fb0b5cd0738ad5c3af1179fcc5ad5fda
                                                                                                                                                                                                        • Instruction ID: d63b65f3659a554ae4bac0d7e99c01bfdf2859cb556b062455f7a8db6e947508
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb7899ad91b1f3e17a07e3132403b735fb0b5cd0738ad5c3af1179fcc5ad5fda
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B231CE327586414BEB1CCE29CC9226BB7E38BCA324F1CD63D9496C73A5DA3DC9018745
                                                                                                                                                                                                        Function 0041C0C0 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1c5e3e17403244415fe300e7d44dd53aa7b8e6829c35963be27388effd9a9168
                                                                                                                                                                                                        • Instruction ID: 2870550d978d39b1e9aedb3ec20f48e7ddaf3b44ab6e0805df6b8d4ff2758aee
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c5e3e17403244415fe300e7d44dd53aa7b8e6829c35963be27388effd9a9168
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B721CF71548310DBC310AF29CC926ABB7F0EF46764F145A09E4D5CB391F3788941CBAA
                                                                                                                                                                                                        Function 00436E53 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2ef35b99d74e13053632c7311e3aef26bfaad6667daaf2e8d9fa7d41985a3dba
                                                                                                                                                                                                        • Instruction ID: b99542bd7a0dbc4ceccd4fa9615d5eb3c336bbafe75ec53b8f146eb9f83ea12f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ef35b99d74e13053632c7311e3aef26bfaad6667daaf2e8d9fa7d41985a3dba
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E218EBBD646508FD7208F71DC4222BBBA3EBC6704F09843EDC94B3714DA7899058B89
                                                                                                                                                                                                        Function 0042F8C0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                        • Instruction ID: d31462c70157d53e9667f20b63c0c23b9c3d8b5349be5f0bb6a811ddc08ad754
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C311A7737051E40AC3158D3C9440666BFA20AA3634B9943BAE4B8972D6D6268D8E8359
                                                                                                                                                                                                        Function 00424DA0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e4d40440445786161cae83f86c9c5b6daec8980928c68b3813a4488de9d5bcb9
                                                                                                                                                                                                        • Instruction ID: 9d118efc6ad301846994c4c3466144e18fbf65a307a159186628b0a6099eaea1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e4d40440445786161cae83f86c9c5b6daec8980928c68b3813a4488de9d5bcb9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E01B5F570072157EB219E11F5C0B2BB2A8EFD5708F88003ED8445B342DB79EC05C699
                                                                                                                                                                                                        Function 0041718E Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5986e47722f64b780f4497ad015bb112eb263c2a398ed9be6b0c6485b4d16015
                                                                                                                                                                                                        • Instruction ID: 5299ce2f6519389f5b2d25a6fe6a47c831be11707c38635e2e0c8a5a8964da6f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5986e47722f64b780f4497ad015bb112eb263c2a398ed9be6b0c6485b4d16015
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C11363578D3814AD3158E65C8C03A6BBE1A797301F4855AEF0C28B796C67C8407C366
                                                                                                                                                                                                        Function 0040D9B3 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 641a3d5714fcbad4b7a43bdccfac8687f284d5d0a7126e3d87a6e1717e980870
                                                                                                                                                                                                        • Instruction ID: 248242a2fe30680f53ec77a719ccc762f9846d8b90da178ce0c60212b9d19a5e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 641a3d5714fcbad4b7a43bdccfac8687f284d5d0a7126e3d87a6e1717e980870
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5701A26065C3404AE3049F61849137F77A19F9A714F04462EF9893B2C3CB7D8905C79F
                                                                                                                                                                                                        Function 00402740 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2470de9f79033eda8976c7756fda607fb2a8ebcf75161f9c1ecbe89389905c02
                                                                                                                                                                                                        • Instruction ID: e841408b91df28eaff0a364086589458409f96d11208520e8bf116fd1ae38162
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2470de9f79033eda8976c7756fda607fb2a8ebcf75161f9c1ecbe89389905c02
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AF0A46A79831E17D210DCA9ADC4566B295D7C5614B094139E94093341E4A8E9069298
                                                                                                                                                                                                        Function 0043B630 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ad4a0e0796652cfa90de53d43a88386fc39bf635d8b7d58871d21f476ca41ee3
                                                                                                                                                                                                        • Instruction ID: f82d395ffe638de09f6788ac843e295814c7b21e4ed766b49a1e32176cda8fc8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad4a0e0796652cfa90de53d43a88386fc39bf635d8b7d58871d21f476ca41ee3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66C01261809308ABC6109F028948D33FBBDEE8B694F51640CB48827241C730EC10CFA9
                                                                                                                                                                                                        Function 0042DD8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000009.00000002.1506014697.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MetricsSystem
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4116985748-3916222277
                                                                                                                                                                                                        • Opcode ID: bcd2f564823e34abbacd96eee65b207694575597076a2e9f5e8241eece9a09c0
                                                                                                                                                                                                        • Instruction ID: bb61d667ca1cbea07ea7fab183c87ce72b44babcccee6c03ed61d95669fb559f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bcd2f564823e34abbacd96eee65b207694575597076a2e9f5e8241eece9a09c0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 873184B09153059FDB00EF6DE98561DBBF4BB88304F11892DE498DB360D7749948CF86