Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice.exe

Overview

General Information

Sample name:Invoice.exe
Analysis ID:1586890
MD5:cb7f2241397f38ea67c7b7404f3828cd
SHA1:004bad94d8e44aff2dd938add52fedf23ddbffbd
SHA256:697e9c2868457f2721b82f27620c0ff21e1529e1dc247a6fd0792c782196195e
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Invoice.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\Invoice.exe" MD5: CB7F2241397F38EA67C7B7404F3828CD)
    • BitLockerToGo.exe (PID: 7756 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["chipdonkeruz.shop", "femalsabler.shop", "robinsharez.shop", "apporholis.shop", "soundtappysk.shop", "versersleep.shop", "handscreamny.shop", "crowdwarek.shop", "letterdrive.shop"], "Build id": "2KQ7l8--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:10.587997+010020283713Unknown Traffic192.168.2.449736104.102.49.254443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.842878+010020590351Domain Observed Used for C2 Detected192.168.2.4627521.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.875121+010020590371Domain Observed Used for C2 Detected192.168.2.4652401.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.855571+010020590391Domain Observed Used for C2 Detected192.168.2.4650451.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.833200+010020590411Domain Observed Used for C2 Detected192.168.2.4556851.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.884686+010020590431Domain Observed Used for C2 Detected192.168.2.4556371.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.896881+010020590491Domain Observed Used for C2 Detected192.168.2.4603761.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.821476+010020590511Domain Observed Used for C2 Detected192.168.2.4613271.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:09.865285+010020590571Domain Observed Used for C2 Detected192.168.2.4563861.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-09T18:25:11.058577+010028586661Domain Observed Used for C2 Detected192.168.2.449736104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://apporholis.shop/apiAvira URL Cloud: Label: malware
    Source: https://crowdwarek.shop/apiAvira URL Cloud: Label: malware
    Source: https://handscreamny.shop/apiSAvira URL Cloud: Label: malware
    Source: letterdrive.shopAvira URL Cloud: Label: malware
    Source: https://femalsabler.shop/apiAvira URL Cloud: Label: malware
    Source: https://letterdrive.shop/apiAvira URL Cloud: Label: malware
    Source: https://robinsharez.shop/apiAvira URL Cloud: Label: malware
    Source: https://soundtappysk.shop/api3Avira URL Cloud: Label: malware
    Source: https://chipdonkeruz.shop/api#Avira URL Cloud: Label: malware
    Found malware configuration
    Source: 4.2.BitLockerToGo.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["chipdonkeruz.shop", "femalsabler.shop", "robinsharez.shop", "apporholis.shop", "soundtappysk.shop", "versersleep.shop", "handscreamny.shop", "crowdwarek.shop", "letterdrive.shop"], "Build id": "2KQ7l8--"}
    Multi AV Scanner detection for submitted file
    Source: Invoice.exeReversingLabs: Detection: 15%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: Invoice.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: robinsharez.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: handscreamny.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: chipdonkeruz.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: versersleep.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: crowdwarek.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: apporholis.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: femalsabler.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: soundtappysk.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: letterdrive.shop
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString decryptor: 2KQ7l8--
    Source: Invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49736 version: TLS 1.2
    Source: Invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: Invoice.exe, 00000000.00000002.1954108958.000000000A231000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: Invoice.exe, 00000000.00000002.1954108958.000000000A231000.00000004.00001000.00020000.00000000.sdmp
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, edx4_2_0040B2B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h4_2_00419840
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax]4_2_0040A05C
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h4_2_00427070
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+3Ch], edx4_2_0043B870
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx4_2_0043B870
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]4_2_0042D830
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h4_2_0043F0E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0041B882
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax4_2_004418A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0041B173
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h4_2_0042B170
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_0041A900
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0041B184
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then test esi, esi4_2_0043C9A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al4_2_0041B243
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl4_2_0042EA62
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]4_2_00402210
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_0040AA32
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]4_2_00425AF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_00428280
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]4_2_0041F2A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax4_2_00405AB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax4_2_00405AB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl4_2_0042EB5F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_0042BB00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0041BB21
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h4_2_00441B20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl4_2_0041AB2A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]4_2_0040C334
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]4_2_0040C3EC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, edx4_2_0042DBF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_0040D334
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h4_2_00422380
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]4_2_0041BBA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [ebx], 00000022h4_2_0042BBA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl4_2_0042EBA1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_00440BAB
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl4_2_0042EBB3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h4_2_00441BB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+14h], 00000000h4_2_00441C40
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_00442470
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h4_2_00426C76
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, edi4_2_0041C400
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al4_2_00417405
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]4_2_00417405
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx4_2_00417405
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h4_2_00414C20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h4_2_0044042D
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_0044042D
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl4_2_0041B484
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], cx4_2_00427490
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h4_2_00425D6A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_00438520
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh4_2_00442D20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push edi4_2_0043C5A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]4_2_0043C5A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h4_2_0042B652
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl4_2_0041B667
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [0044C548h]4_2_00418672
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00409E09
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]4_2_00407620
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]4_2_00407620
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_0040CEC7
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]4_2_00416ED0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]4_2_0041BEE1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_0041AEFF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, ecx4_2_00415720
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax4_2_00415720
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]4_2_0040DFE2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], cl4_2_0040DFE2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]4_2_00408F90
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh4_2_004427B0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.4:65045 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.4:56386 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.4:55685 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.4:61327 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.4:55637 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.4:62752 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.4:65240 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.4:60376 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49736 -> 104.102.49.254:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: chipdonkeruz.shop
    Source: Malware configuration extractorURLs: femalsabler.shop
    Source: Malware configuration extractorURLs: robinsharez.shop
    Source: Malware configuration extractorURLs: apporholis.shop
    Source: Malware configuration extractorURLs: soundtappysk.shop
    Source: Malware configuration extractorURLs: versersleep.shop
    Source: Malware configuration extractorURLs: handscreamny.shop
    Source: Malware configuration extractorURLs: crowdwarek.shop
    Source: Malware configuration extractorURLs: letterdrive.shop
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.102.49.254:443
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=077b4d55145316f83eb95845; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 09 Jan 2025 17:25:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlv equals www.youtube.com (Youtube)
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: letterdrive.shop
    Source: global trafficDNS traffic detected: DNS query: soundtappysk.shop
    Source: global trafficDNS traffic detected: DNS query: femalsabler.shop
    Source: global trafficDNS traffic detected: DNS query: apporholis.shop
    Source: global trafficDNS traffic detected: DNS query: crowdwarek.shop
    Source: global trafficDNS traffic detected: DNS query: versersleep.shop
    Source: global trafficDNS traffic detected: DNS query: chipdonkeruz.shop
    Source: global trafficDNS traffic detected: DNS query: handscreamny.shop
    Source: global trafficDNS traffic detected: DNS query: robinsharez.shop
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apporholis.shop/api
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chipdonkeruz.shop/api#
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crowdwarek.shop/api
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://femalsabler.shop/api
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://handscreamny.shop/apiS
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://letterdrive.shop/api
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://robinsharez.shop/api
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://soundtappysk.shop/api3
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
    Source: BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/c
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/h4H
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/k
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: BitLockerToGo.exe, 00000004.00000003.1966195682.000000000333A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966372647.0000000003344000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003345000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900&
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
    Source: BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49736 version: TLS 1.2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,4_2_004367F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,4_2_004367F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,4_2_00436980

    System Summary

    barindex
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: Invoice.exe
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004088804_2_00408880
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040B2B04_2_0040B2B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004198404_2_00419840
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004068504_2_00406850
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004278604_2_00427860
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004270704_2_00427070
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043B8704_2_0043B870
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043080E4_2_0043080E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F8204_2_0043F820
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041D0C04_2_0041D0C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004418A04_2_004418A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041194F4_2_0041194F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043F1504_2_0043F150
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042B1704_2_0042B170
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004039004_2_00403900
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004251004_2_00425100
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004399234_2_00439923
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004271334_2_00427133
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004339304_2_00433930
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004121DB4_2_004121DB
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042A9F74_2_0042A9F7
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040E9B04_2_0040E9B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041825B4_2_0041825B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042EA624_2_0042EA62
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040CA624_2_0040CA62
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00442A604_2_00442A60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041DAD04_2_0041DAD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00429ADE4_2_00429ADE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00425AF04_2_00425AF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004092A04_2_004092A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00405AB04_2_00405AB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004042B04_2_004042B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043CB404_2_0043CB40
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042EB5F4_2_0042EB5F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004083604_2_00408360
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00428B674_2_00428B67
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00437B694_2_00437B69
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00402B204_2_00402B20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00441B204_2_00441B20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00432B244_2_00432B24
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004063C04_2_004063C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042DBF04_2_0042DBF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004223804_2_00422380
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041BBA04_2_0041BBA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042BBA04_2_0042BBA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042EBA14_2_0042EBA1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042EBB34_2_0042EBB3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00441BB04_2_00441BB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00441C404_2_00441C40
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004424704_2_00442470
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00426C764_2_00426C76
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041D4004_2_0041D400
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041C4004_2_0041C400
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004174054_2_00417405
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00414C204_2_00414C20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004324264_2_00432426
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004284374_2_00428437
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043443D4_2_0043443D
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004354C44_2_004354C4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00434CEF4_2_00434CEF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043A4EF4_2_0043A4EF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004374AB4_2_004374AB
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041DCB04_2_0041DCB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043ACB04_2_0043ACB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0042FCBC4_2_0042FCBC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040D5454_2_0040D545
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00425D6A4_2_00425D6A
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00435D134_2_00435D13
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00442D204_2_00442D20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043CD274_2_0043CD27
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00404DC04_2_00404DC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00420D904_2_00420D90
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043C5A04_2_0043C5A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00421E704_2_00421E70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004366104_2_00436610
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004076204_2_00407620
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040AE304_2_0040AE30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041F6D04_2_0041F6D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00416ED04_2_00416ED0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041BEE14_2_0041BEE1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00402EF04_2_00402EF0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004186FC4_2_004186FC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00423EFF4_2_00423EFF
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00431E8E4_2_00431E8E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041A6904_2_0041A690
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004157204_2_00415720
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0041AF244_2_0041AF24
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00427F304_2_00427F30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040DFE24_2_0040DFE2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004257E04_2_004257E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00429FE44_2_00429FE4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0040CFEC4_2_0040CFEC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004097904_2_00409790
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004427B04_2_004427B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00441FB04_2_00441FB0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00414C10 appears 116 times
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00408170 appears 45 times
    Source: Invoice.exe, 00000000.00000002.1954108958.000000000A231000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Invoice.exe
    Source: Invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: Invoice.exeBinary string: SA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceUS Eastern Standard TimeUnRegisterTypeLibForUserVariantTimeToDosDateTimeWSAAsyncGetProtoByNumberWSAWaitForMultipleEventsWindows boot application\Device\NamedPipe\cygwinbad defer entry in panicbypassed recovery failedcan't scan our own stackcertificate unobtainableconnection reset by peerdouble traceGCSweepStarterror decrypting messageexec: Stdout already setflate: maxBits too largefloating point exceptionframe_headers_prio_shortfunction not implementedgcDrainN phase incorrecthash of unhashable type http2: canceling requestidna: disallowed rune %Uinvalid argument to Intnlevel 2 not synchronizedlink number out of rangenot supported by windowsout of streams resourcespageAlloc: out of memoryqueuefinalizer during GCrange partially overlapsreflect.Value.SetComplexresource length too longrunqsteal: runq overflowruntime: VirtualFree of runtime: found obj at *(runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailable
    Source: Invoice.exeBinary string: Nyiakeng_Puachue_HmongOleCreatePropertyFramePakistan Standard TimeParaguay Standard TimePower PC little endianRegisterTypeLibForUserRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWrong unwind opcode %d\Device\NamedPipe\msysaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbody closed by handlercannot allocate memorycompileCallabck: type driver: bad connectionduplicated defer entryerror decoding messageerror parsing regexp: frame_data_pad_too_bigfreeIndex is not validgetenv before env initgzip: invalid checksumheadTailIndex overflowhpack: string too longhttp2: frame too largeidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %dkernel32.dll not foundminpc or maxpc invalidmissing ']' in addressnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateprotocol not availableprotocol not supportedreadlink not supportedreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelskipping Question Nameskipping Question Typespan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum) must be a power of 2
    Source: Invoice.exeBinary string: frame_goaway_has_streamframe_headers_pad_shortframe_rststream_bad_lengarbage collection scangcDrain phase incorrecthttp2: handler panickedhttp: request too largeindex out of range [%x]interrupted system callinvalid PrintableStringinvalid URI for requestinvalid escape sequenceinvalid m->lockedInt = invalid scalar encodingleft over markroot jobsmakechan: bad alignmentmissing port in addressmissing protocol schememissing type in runfinqnanotime returning zeronet/http: abort Handlerno application protocolno space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallreflectlite.Value.IsNilruntime: internal errorruntime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timeskipping Question Classspan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8time: invalid duration too many pointers (>10)truncated tag or lengthunexpected address typeunexpected end of inputunknown error code 0x%xunpacking Question.Nameunpacking Question.Typeunsupported certificatevarint integer overflowwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32SnapshotDosDateTimeToVariantTimeGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWGetSystemTimeAsFileTimeGetUnicastIpAddressEntryGetUserProfileDirectoryWGetWindowThreadProcessIdMagallanes Standard TimeMontevideo Standard TimeNorth Asia Standard TimeNtQuerySystemInformationOleCreatePictureIndirectPacific SA Standard TimeQueryPerformanceCounterSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceUS Eastern Standard TimeUnRegisterTypeLibForUserVariantTimeToDosDateTimeWSAAsyncGetProtoByNumberWSAWaitForMultipleEventsWindows boot application\Device\NamedPipe\cygwinbad defer entry in panicbypassed recovery failedcan't scan our own stackcertificate unobtainableconnection reset by peerdouble traceGCSweepStarterror decrypting messageexec: Stdout already setflate: maxBits too largefloating point exceptionframe_headers_prio_shortfunction not implementedgcDrainN phase incorrecthash of unhashable type http2: canceling requestidna: disallowed rune %Uinvalid argument to Intnlevel 2 not synchronizedlink number out of rangenot supported by windowsout of streams resourcespageAlloc: out of memoryqueuefinalizer during GCrange partially overlapsreflect.Value.SetComplexresource length too longrunqsteal: runq overflowruntime: Virt
    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@10/1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,4_2_0043B870
    Source: Invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Invoice.exeReversingLabs: Detection: 15%
    Source: Invoice.exeString found in binary or memory: net/addrselect.go
    Source: Invoice.exeString found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
    Source: unknownProcess created: C:\Users\user\Desktop\Invoice.exe "C:\Users\user\Desktop\Invoice.exe"
    Source: C:\Users\user\Desktop\Invoice.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Users\user\Desktop\Invoice.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
    Source: Invoice.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: Invoice.exeStatic file information: File size 5511680 > 1048576
    Source: Invoice.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x248e00
    Source: Invoice.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x24e400
    Source: Invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: Invoice.exe, 00000000.00000002.1954108958.000000000A231000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: Invoice.exe, 00000000.00000002.1954108958.000000000A231000.00000004.00001000.00020000.00000000.sdmp
    Source: Invoice.exeStatic PE information: section name: .symtab
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh4_2_00441853

    Hooking and other Techniques for Hiding and Protection

    barindex
    Icon mismatch, binary includes an icon from a different legit application in order to fool users
    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (144).png
    Source: C:\Users\user\Desktop\Invoice.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7780Thread sleep time: -30000s >= -30000sJump to behavior
    Source: BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003311000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967146058.0000000003311000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Invoice.exe, 00000000.00000002.1952922347.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_004402C0 LdrInitializeThunk,4_2_004402C0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\Invoice.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\Invoice.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: robinsharez.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: handscreamny.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: chipdonkeruz.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: versersleep.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crowdwarek.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: apporholis.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: femalsabler.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: soundtappysk.shop
    Source: Invoice.exe, 00000000.00000003.1858441894.000000000A444000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: letterdrive.shop
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\Invoice.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2FE1008Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 444000Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 455000Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Invoice.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		311
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Screen Capture    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
    Process Injection    		Security Account Manager12
    System Information Discovery    		SMB/Windows Admin Shares2
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Deobfuscate/Decode Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
    Obfuscated Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Invoice.exe16%ReversingLabs
    Invoice.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://apporholis.shop/api100%Avira URL Cloudmalware
    https://crowdwarek.shop/api100%Avira URL Cloudmalware
    https://handscreamny.shop/apiS100%Avira URL Cloudmalware
    letterdrive.shop100%Avira URL Cloudmalware
    https://femalsabler.shop/api100%Avira URL Cloudmalware
    https://letterdrive.shop/api100%Avira URL Cloudmalware
    https://robinsharez.shop/api100%Avira URL Cloudmalware
    https://soundtappysk.shop/api3100%Avira URL Cloudmalware
    https://chipdonkeruz.shop/api#100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truefalse
      		high
      letterdrive.shop
      		unknown
      		unknowntrue
        		unknown
        femalsabler.shop
        		unknown
        		unknowntrue
          		unknown
          robinsharez.shop
          		unknown
          		unknowntrue
            		unknown
            soundtappysk.shop
            		unknown
            		unknowntrue
              		unknown
              crowdwarek.shop
              		unknown
              		unknowntrue
                		unknown
                versersleep.shop
                		unknown
                		unknowntrue
                  		unknown
                  chipdonkeruz.shop
                  		unknown
                  		unknowntrue
                    		unknown
                    apporholis.shop
                    		unknown
                    		unknowntrue
                      		unknown
                      handscreamny.shop
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        robinsharez.shopfalse
                          		high
                          versersleep.shopfalse
                            		high
                            crowdwarek.shopfalse
                              		high
                              letterdrive.shoptrue
                              • Avira URL Cloud: malware
                              		unknown
                              femalsabler.shopfalse
                                		high
                                https://steamcommunity.com/profiles/76561199724331900false
                                  		high
                                  soundtappysk.shopfalse
                                    		high
                                    apporholis.shopfalse
                                      		high
                                      handscreamny.shopfalse
                                        		high
                                        chipdonkeruz.shopfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://player.vimeo.comBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://help.steampowered.com/en/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://steamcommunity.com/market/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://store.steampowered.com/news/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://steamcommunity.com/profiles/76561199724331900&BitLockerToGo.exe, 00000004.00000003.1966195682.000000000333A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966372647.0000000003344000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003345000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&amp;l=enBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.youtube.comBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.comBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://store.steampowered.com/stats/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://medal.tvBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&aBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://s.ytimg.com;BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://apporholis.shop/apiBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  		unknown
                                                                                                                  https://login.steampowered.com/BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_cBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://store.steampowered.com/legal/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://chipdonkeruz.shop/api#BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: malware
                                                                                                                              		unknown
                                                                                                                              https://community.fastly.steamstatic.com/BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&amp;l=engliBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://steam.tv/BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://handscreamny.shop/apiSBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                    		unknown
                                                                                                                                    https://robinsharez.shop/apiBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                    		unknown
                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&amp;l=enBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp;l=engBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://soundtappysk.shop/api3BitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: malware
                                                                                                                                          		unknown
                                                                                                                                          https://steamcommunity.com/kBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://letterdrive.shop/apiBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                              		unknown
                                                                                                                                              https://recaptcha.netBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://store.steampowered.com/BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://crowdwarek.shop/apiBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                  		unknown
                                                                                                                                                  https://femalsabler.shop/apiBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                  		unknown
                                                                                                                                                  https://steamcommunity.com/cBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://steamcommunity.comBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://sketchfab.comBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://lv.queniujq.cnBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.youtube.com/BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://127.0.0.1:27060BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_ABitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.google.com/recaptcha/BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://checkout.steampowered.com/BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://help.steampowered.com/BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://api.steampowered.com/BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://store.steampowered.com/points/shopBitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://store.steampowered.com/account/cookiepreferences/BitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003319000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://store.steampowered.com/mobileBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://steamcommunity.com/BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/;BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003359000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967307584.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://steamcommunity.com/h4HBitLockerToGo.exe, 00000004.00000003.1966491312.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1967219914.0000000003322000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966195682.0000000003322000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://store.steampowered.com/about/BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&amp;lBitLockerToGo.exe, 00000004.00000003.1966044764.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966044764.000000000339C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1966171720.00000000033A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high

                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                  104.102.49.254
                                                                                                                                                                                                  		steamcommunity.comUnited States
                                                                                                                                                                                                  		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                  General Information

                                                                                                                                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                  Analysis ID:1586890
                                                                                                                                                                                                  Start date and time:2025-01-09 18:23:50 +01:00
                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                  Overall analysis duration:0h 3m 33s
                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                  Number of analysed new started processes analysed:5
                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                  Sample name:Invoice.exe
                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                  Classification:mal100.troj.evad.winEXE@3/0@10/1
                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                  • Successful, ratio: 85%
                                                                                                                                                                                                  • Number of executed functions: 9
                                                                                                                                                                                                  • Number of non-executed functions: 127
                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                  • Execution Graph export aborted for target Invoice.exe, PID 7408 because there are no executed function
                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                  • VT rate limit hit for: Invoice.exe

                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                  12:25:09API Interceptor2x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                  IPs

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                  • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                  http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                  Domains

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  steamcommunity.comNvOxePa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  h3VYJaQqI9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  P2V7Mr3DUF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  v3tb7mqP48.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  asd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  [UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  socolo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  Installer.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                                                                                                                                                  • 104.102.49.254

                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  AKAMAI-ASUSFantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.73.204.147
                                                                                                                                                                                                  sora.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 96.26.27.34
                                                                                                                                                                                                  Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 96.17.64.171
                                                                                                                                                                                                  NvOxePa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  h3VYJaQqI9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 23.63.155.206
                                                                                                                                                                                                  m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 23.40.78.0
                                                                                                                                                                                                  arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 23.218.112.97
                                                                                                                                                                                                  arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 23.204.246.84
                                                                                                                                                                                                  ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 23.13.196.167

                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e124EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  cLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  digitalisierungskonzept_muster.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  NvOxePa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  digitalisierungskonzept_muster.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  h3VYJaQqI9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 104.102.49.254

                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                  No created / dropped files found

                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                  Entropy (8bit):6.434685218016752
                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                  File name:Invoice.exe
                                                                                                                                                                                                  File size:5'511'680 bytes
                                                                                                                                                                                                  MD5:cb7f2241397f38ea67c7b7404f3828cd
                                                                                                                                                                                                  SHA1:004bad94d8e44aff2dd938add52fedf23ddbffbd
                                                                                                                                                                                                  SHA256:697e9c2868457f2721b82f27620c0ff21e1529e1dc247a6fd0792c782196195e
                                                                                                                                                                                                  SHA512:f30ea62d5b5d9a4ab1f4aae41fe36c35d263feb69725f9c317cdbcaadd39215e50bebf17c27cb7a21afe26d28a35a5dac4b9a0a5d0a80d9b54c0891871f02ad7
                                                                                                                                                                                                  SSDEEP:49152:GY9DrmvnCCa5lDZDadwoOFakO0MuoSx8XcqCP0FHtY/iYULX7VzyI6bVIV1awl1x:GmDrmfba5lkwoARpMoqPBDzyK1awl/8
                                                                                                                                                                                                  TLSH:6D461881F9CB44F5D9071A704CA6B22F27306D098B29DF87EE20BF59E9736A1097361D
                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........P...............$..........F........I...@..........................0W.....4.T...@................................

                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                  Icon Hash:22eeaca6b2cece71

                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Entrypoint:0x4646a0
                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                  OS Version Minor:1
                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                  File Version Minor:1
                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                                                                  Import Hash:9cbefe68f395e67356e2a5d8d1b285c0

                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                  jmp 00007F91BD1F1690h
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                  sub esp, 28h
                                                                                                                                                                                                  mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                  mov dword ptr [esp+10h], ebp
                                                                                                                                                                                                  mov dword ptr [esp+14h], esi
                                                                                                                                                                                                  mov dword ptr [esp+18h], edi
                                                                                                                                                                                                  mov esi, eax
                                                                                                                                                                                                  mov edx, dword ptr fs:[00000014h]
                                                                                                                                                                                                  cmp edx, 00000000h
                                                                                                                                                                                                  jne 00007F91BD1F39B9h
                                                                                                                                                                                                  mov eax, 00000000h
                                                                                                                                                                                                  jmp 00007F91BD1F3A16h
                                                                                                                                                                                                  mov edx, dword ptr [edx+00000000h]
                                                                                                                                                                                                  cmp edx, 00000000h
                                                                                                                                                                                                  jne 00007F91BD1F39B7h
                                                                                                                                                                                                  call 00007F91BD1F3AA9h
                                                                                                                                                                                                  mov dword ptr [esp+20h], edx
                                                                                                                                                                                                  mov dword ptr [esp+24h], esp
                                                                                                                                                                                                  mov ebx, dword ptr [edx+18h]
                                                                                                                                                                                                  mov ebx, dword ptr [ebx]
                                                                                                                                                                                                  cmp edx, ebx
                                                                                                                                                                                                  je 00007F91BD1F39CAh
                                                                                                                                                                                                  mov ebp, dword ptr fs:[00000014h]
                                                                                                                                                                                                  mov dword ptr [ebp+00000000h], ebx
                                                                                                                                                                                                  mov edi, dword ptr [ebx+1Ch]
                                                                                                                                                                                                  sub edi, 28h
                                                                                                                                                                                                  mov dword ptr [edi+24h], esp
                                                                                                                                                                                                  mov esp, edi
                                                                                                                                                                                                  mov ebx, dword ptr [ecx]
                                                                                                                                                                                                  mov ecx, dword ptr [ecx+04h]
                                                                                                                                                                                                  mov dword ptr [esp], ebx
                                                                                                                                                                                                  mov dword ptr [esp+04h], ecx
                                                                                                                                                                                                  mov dword ptr [esp+08h], edx
                                                                                                                                                                                                  call esi
                                                                                                                                                                                                  mov eax, dword ptr [esp+0Ch]
                                                                                                                                                                                                  mov esp, dword ptr [esp+24h]
                                                                                                                                                                                                  mov edx, dword ptr [esp+20h]
                                                                                                                                                                                                  mov ebp, dword ptr fs:[00000014h]
                                                                                                                                                                                                  mov dword ptr [ebp+00000000h], edx
                                                                                                                                                                                                  mov edi, dword ptr [esp+18h]
                                                                                                                                                                                                  mov esi, dword ptr [esp+14h]
                                                                                                                                                                                                  mov ebp, dword ptr [esp+10h]
                                                                                                                                                                                                  mov ebx, dword ptr [esp+1Ch]
                                                                                                                                                                                                  add esp, 28h
                                                                                                                                                                                                  retn 0004h
                                                                                                                                                                                                  ret
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                  mov edx, dword ptr [ecx]
                                                                                                                                                                                                  mov eax, esp

                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5150000x3dc.idata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5320000x408dc.rsrc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5160000x1ad82.reloc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x499dc00xa0.data
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                  Sections

                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                  .text0x10000x248d850x248e003f3d7fa1334429c78006eaa364c06ea5unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .rdata0x24a0000x24e3f80x24e4000026001f3a9dbde9823039c185da5a87unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .data0x4990000x7ba480x4e600b56405a86e36faf6fe3ac7ba81f70791False0.3540732157097289data5.940750601247721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .idata0x5150000x3dc0x400ee8f66f9b0be645ddc0a511b3838886bFalse0.486328125data4.564631419999286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .reloc0x5160000x1ad820x1ae009e8bf935b0e86dd6b3649f7eb5d9ec8cFalse0.6058957122093023data6.662938899404818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .symtab0x5310000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .rsrc0x5320000x408dc0x40a0080b14f57397f3496b93bef4402a51f71False0.04925123911992263data2.7036817961710007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                  Resources

                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                  RT_ICON0x5320a00x40828Device independent bitmap graphic, 250 x 512 x 32, image size 256000, resolution 3779 x 3779 px/m0.04904402192013079
                                                                                                                                                                                                  RT_GROUP_ICON0x5728c80x14data1.2

                                                                                                                                                                                                  Imports

                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                  kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                  2025-01-09T18:25:09.821476+01002059051ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)1192.168.2.4613271.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:09.833200+01002059041ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)1192.168.2.4556851.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:09.842878+01002059035ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)1192.168.2.4627521.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:09.855571+01002059039ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)1192.168.2.4650451.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:09.865285+01002059057ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)1192.168.2.4563861.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:09.875121+01002059037ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)1192.168.2.4652401.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:09.884686+01002059043ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)1192.168.2.4556371.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:09.896881+01002059049ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)1192.168.2.4603761.1.1.153UDP
                                                                                                                                                                                                  2025-01-09T18:25:10.587997+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.102.49.254443TCP
                                                                                                                                                                                                  2025-01-09T18:25:11.058577+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.449736104.102.49.254443TCP

                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.921138048 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.921181917 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.921246052 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.924330950 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.924346924 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.587929964 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.587996960 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.591959000 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.591975927 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.592377901 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.644011021 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.661299944 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:10.703329086 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058664083 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058722973 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058743000 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058779955 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058796883 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058828115 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058828115 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058829069 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058840990 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058948040 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.058948040 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.149899960 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.149974108 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.149990082 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.150039911 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.150090933 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.150157928 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.152277946 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.152308941 CET44349736104.102.49.254192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.153367996 CET49736443192.168.2.4104.102.49.254
                                                                                                                                                                                                  Jan 9, 2025 18:25:11.153377056 CET44349736104.102.49.254192.168.2.4

                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.806915045 CET6261953192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.818794966 CET53626191.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.821475983 CET6132753192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.830636978 CET53613271.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.833199978 CET5568553192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.841986895 CET53556851.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.842878103 CET6275253192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.853162050 CET53627521.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.855571032 CET6504553192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.864300013 CET53650451.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.865284920 CET5638653192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.873298883 CET53563861.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.875121117 CET6524053192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.883641958 CET53652401.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.884685993 CET5563753192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.895117044 CET53556371.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.896881104 CET6037653192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.905896902 CET53603761.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.907030106 CET6510453192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.916723967 CET53651041.1.1.1192.168.2.4

                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.806915045 CET192.168.2.41.1.1.10x62caStandard query (0)letterdrive.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.821475983 CET192.168.2.41.1.1.10xb755Standard query (0)soundtappysk.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.833199978 CET192.168.2.41.1.1.10x3068Standard query (0)femalsabler.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.842878103 CET192.168.2.41.1.1.10xfcd4Standard query (0)apporholis.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.855571032 CET192.168.2.41.1.1.10xb3ccStandard query (0)crowdwarek.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.865284920 CET192.168.2.41.1.1.10x1014Standard query (0)versersleep.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.875121117 CET192.168.2.41.1.1.10xddf1Standard query (0)chipdonkeruz.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.884685993 CET192.168.2.41.1.1.10xa56eStandard query (0)handscreamny.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.896881104 CET192.168.2.41.1.1.10xdf5eStandard query (0)robinsharez.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.907030106 CET192.168.2.41.1.1.10xd18Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.818794966 CET1.1.1.1192.168.2.40x62caName error (3)letterdrive.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.830636978 CET1.1.1.1192.168.2.40xb755Name error (3)soundtappysk.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.841986895 CET1.1.1.1192.168.2.40x3068Name error (3)femalsabler.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.853162050 CET1.1.1.1192.168.2.40xfcd4Name error (3)apporholis.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.864300013 CET1.1.1.1192.168.2.40xb3ccName error (3)crowdwarek.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.873298883 CET1.1.1.1192.168.2.40x1014Name error (3)versersleep.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.883641958 CET1.1.1.1192.168.2.40xddf1Name error (3)chipdonkeruz.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.895117044 CET1.1.1.1192.168.2.40xa56eName error (3)handscreamny.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.905896902 CET1.1.1.1192.168.2.40xdf5eName error (3)robinsharez.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 9, 2025 18:25:09.916723967 CET1.1.1.1192.168.2.40xd18No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                  • steamcommunity.com

                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  0192.168.2.449736104.102.49.2544437756C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  2025-01-09 17:25:10 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                                                                  2025-01-09 17:25:11 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                  Date: Thu, 09 Jan 2025 17:25:10 GMT
                                                                                                                                                                                                  Content-Length: 25665
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Set-Cookie: sessionid=077b4d55145316f83eb95845; Path=/; Secure; SameSite=None
                                                                                                                                                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                  2025-01-09 17:25:11 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                  2025-01-09 17:25:11 UTC11186INData Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                                                                                                                                                                                  Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>


                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                  Start time:12:24:42
                                                                                                                                                                                                  Start date:09/01/2025
                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Invoice.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Invoice.exe"
                                                                                                                                                                                                  Imagebase:0xb80000
                                                                                                                                                                                                  File size:5'511'680 bytes
                                                                                                                                                                                                  MD5 hash:CB7F2241397F38EA67C7B7404F3828CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                  Start time:12:25:05
                                                                                                                                                                                                  Start date:09/01/2025
                                                                                                                                                                                                  Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                                                                  Imagebase:0x7d0000
                                                                                                                                                                                                  File size:231'736 bytes
                                                                                                                                                                                                  MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00BB35E0 Relevance: 11.4, Strings: 9, Instructions: 172COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • VirtualQuery for stack base failedadding nil Certificate to CertPoolcrypto/aes: invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerdriver: remove argument from queryforEachP: sched.safePointWait != 0frame_settings_window_, xrefs: 00BB3845
                                                                                                                                                                                                    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another, xrefs: 00BB38C7
                                                                                                                                                                                                    • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00BB3811
                                                                                                                                                                                                    • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)t, xrefs: 00BB38FB
                                                                                                                                                                                                    • CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfail to read symbol table: %d aux symbols unreadinvalid certificate header in security directorynil passed instead o, xrefs: 00BB38A0
                                                                                                                                                                                                    • bad g0 stackbad recoverycaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowharddecommithost is downhttp2debug=1http2debug=2illegal , xrefs: 00BB37EA
                                                                                                                                                                                                    • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len i, xrefs: 00BB386C
                                                                                                                                                                                                    • %, xrefs: 00BB3904
                                                                                                                                                                                                    • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown unit too many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown hash , xrefs: 00BB377B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1952312081.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952295557.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952509681.0000000000DCA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952509681.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952661100.0000000001019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952674259.0000000001022000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952699134.0000000001063000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952712165.0000000001064000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.0000000001065000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.0000000001092000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952773701.0000000001095000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952784634.0000000001096000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952784634.00000000010B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952784634.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b80000_Invoice.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: %$CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfail to read symbol table: %d aux symbols unreadinvalid certificate header in security directorynil passed instead o$VirtualQuery for stack base failedadding nil Certificate to CertPoolcrypto/aes: invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerdriver: remove argument from queryforEachP: sched.safePointWait != 0frame_settings_window_$bad g0 stackbad recoverycaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowharddecommithost is downhttp2debug=1http2debug=2illegal $runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)t$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len i$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown unit too many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown hash
                                                                                                                                                                                                    • API String ID: 0-154573877
                                                                                                                                                                                                    • Opcode ID: ab73e3673df7d4eb045c5fdad06cd7b6864cc8a9630e4a3cdebe3d42ddeda9a7
                                                                                                                                                                                                    • Instruction ID: cfff1abacb61bf39bc4ec31b3b061462784e9727b36226e745eb9b77a1df34c8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab73e3673df7d4eb045c5fdad06cd7b6864cc8a9630e4a3cdebe3d42ddeda9a7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6181E2B45097419FD300EF64C1957AABBE4EF48B04F0189ACF48897352DBB9D948CF62
                                                                                                                                                                                                    Function 00BC3580 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablesymlink not supportedtimer da, xrefs: 00BC36D1
                                                                                                                                                                                                    • m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val .local.onion.reloc/\?#[]390625<-chanAacuteAgraveAnswerArabicAtildeAugustBrahmiCANCELCarianCcedilChakmaCommonCopticDaggerENCLogENCMapEacuteEgraveExpectExportFlags=FormatFridayGOAWAYGOPATHGO, xrefs: 00BC363B
                                                                                                                                                                                                    • p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLa, xrefs: 00BC3687
                                                                                                                                                                                                    • releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= ca, xrefs: 00BC3619
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1952312081.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952295557.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952509681.0000000000DCA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952509681.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952661100.0000000001019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952674259.0000000001022000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952699134.0000000001063000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952712165.0000000001064000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.0000000001065000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952725129.0000000001092000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952773701.0000000001095000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952784634.0000000001096000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952784634.00000000010B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1952784634.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b80000_Invoice.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val .local.onion.reloc/\?#[]390625<-chanAacuteAgraveAnswerArabicAtildeAugustBrahmiCANCELCarianCcedilChakmaCommonCopticDaggerENCLogENCMapEacuteEgraveExpectExportFlags=FormatFridayGOAWAYGOPATHGO$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLa$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablesymlink not supportedtimer da$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= ca
                                                                                                                                                                                                    • API String ID: 0-1691565663
                                                                                                                                                                                                    • Opcode ID: 63c76f1ccdc4f0beb231443cfd0ac1a64e0777d3228256b1764da4e5d5f3695e
                                                                                                                                                                                                    • Instruction ID: 2f613f83bee7b2494dc495ef176ae2fa573ee73022edaf79f6813fe77a5c1cb4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63c76f1ccdc4f0beb231443cfd0ac1a64e0777d3228256b1764da4e5d5f3695e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C31E6B45097009FC314EF24C195BAABBE4FF88704F4589ADE88887312DB75D948DFA2

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:2.2%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:27.7%
                                                                                                                                                                                                    Total number of Nodes:65
                                                                                                                                                                                                    Total number of Limit Nodes:5
                                                                                                                                                                                                    execution_graph 12962 408880 12964 40888f 12962->12964 12963 408ab5 ExitProcess 12964->12963 12965 408a9e 12964->12965 12966 4088a4 GetCurrentProcessId GetCurrentThreadId 12964->12966 12980 440240 12965->12980 12968 4088ca 12966->12968 12969 4088ce SHGetSpecialFolderPathW GetForegroundWindow 12966->12969 12968->12969 12970 408974 12969->12970 12974 43eb20 12970->12974 12972 4089cf 12972->12965 12977 40ba80 FreeLibrary 12972->12977 12983 441850 12974->12983 12976 43eb2a RtlAllocateHeap 12976->12972 12978 40ba9c 12977->12978 12979 40baa1 FreeLibrary 12978->12979 12979->12965 12985 441830 12980->12985 12982 440245 FreeLibrary 12982->12963 12984 441870 12983->12984 12984->12976 12984->12984 12986 441839 12985->12986 12986->12982 12987 439823 12989 43983b 12987->12989 12988 439849 GetUserDefaultUILanguage 12990 43987b 12988->12990 12989->12988 12990->12990 12996 443190 12997 4431b0 12996->12997 12998 443298 12997->12998 13000 4402c0 LdrInitializeThunk 12997->13000 13000->12998 13001 4404b1 GetForegroundWindow 13002 4404ce 13001->13002 13008 440cde 13009 440ce8 13008->13009 13011 440dae 13009->13011 13014 4402c0 LdrInitializeThunk 13009->13014 13013 4402c0 LdrInitializeThunk 13011->13013 13013->13011 13014->13011 13015 40a69b 13016 40a770 13015->13016 13021 40b2b0 13016->13021 13018 40a7b9 13019 40b2b0 3 API calls 13018->13019 13020 40a8d9 13019->13020 13022 40b340 13021->13022 13023 40b365 13022->13023 13025 440260 13022->13025 13023->13018 13026 4402a5 13025->13026 13027 440286 13025->13027 13028 440278 13025->13028 13029 44029a 13025->13029 13034 43eb40 13026->13034 13032 44028b RtlReAllocateHeap 13027->13032 13028->13026 13028->13027 13030 43eb20 RtlAllocateHeap 13029->13030 13033 4402a0 13030->13033 13032->13033 13033->13022 13035 43eb53 13034->13035 13036 43eb55 13034->13036 13035->13033 13037 43eb5a RtlFreeHeap 13036->13037 13037->13033 13038 4409b8 13039 4409d0 13038->13039 13041 440a3e 13039->13041 13044 4402c0 LdrInitializeThunk 13039->13044 13040 440a8e 13041->13040 13045 4402c0 LdrInitializeThunk 13041->13045 13044->13041 13045->13040 12991 4406eb 12992 44072e 12991->12992 12993 44070c 12991->12993 12993->12992 12995 4402c0 LdrInitializeThunk 12993->12995 12995->12992

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 004088A4
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004088AE
                                                                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
                                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 0040896A
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00408AB7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                    • String ID: 6W01
                                                                                                                                                                                                    • API String ID: 4063528623-326071965
                                                                                                                                                                                                    • Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
                                                                                                                                                                                                    • Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA
                                                                                                                                                                                                    Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 35 40b2b0-40b338 36 40b340-40b349 35->36 36->36 37 40b34b-40b35e 36->37 39 40b700-40b74a 37->39 40 40b661-40b6ab call 408040 37->40 41 40b6b4-40b6ff 37->41 42 40b365-40b367 37->42 43 40b658-40b65c 37->43 44 40b36c-40b5a5 37->44 54 40b750-40b757 39->54 40->41 41->39 45 40ba61-40ba67 42->45 47 40ba52-40ba5e 43->47 46 40b5b0-40b635 44->46 51 40ba70 45->51 46->46 52 40b63b-40b646 46->52 47->45 55 40b64a-40b651 52->55 54->51 56 40ba00 54->56 57 40b804-40b80b 54->57 58 40b904-40b908 54->58 59 40b7c5 54->59 60 40ba06-40ba0a 54->60 61 40ba49 54->61 62 40b7cb-40b7d1 54->62 63 40b80d-40b81f 54->63 64 40b90d-40b92d 54->64 65 40b94d-40b954 54->65 66 40b990-40b994 54->66 67 40ba11-40ba16 54->67 68 40b9d8-40b9f4 54->68 69 40b95b-40b970 call 441c40 54->69 70 40b8dc-40b8e6 54->70 71 40ba1d 54->71 72 40b75e-40b76c 54->72 73 40b7e0-40b7e6 54->73 74 40b7a0-40b7bd call 441c40 54->74 75 40ba23-40ba30 54->75 76 40b9a3-40b9b5 54->76 77 40b8ed-40b902 call 441c40 54->77 78 40b7ef-40b7fd 54->78 79 40b972-40b976 54->79 80 40ba72-40ba79 54->80 81 40b773 54->81 82 40b934-40b946 54->82 83 40ba35-40ba38 54->83 84 40b779-40b794 call 441c40 54->84 85 40b97b-40b984 54->85 86 40b9bc-40b9c2 call 440260 54->86 87 40b9fd-40b9ff 54->87 55->39 55->40 55->41 55->43 55->54 55->56 55->57 55->58 55->59 55->60 55->62 55->63 55->64 55->65 55->66 55->67 55->68 55->69 55->70 55->71 55->72 55->73 55->75 55->76 55->77 55->78 55->79 55->82 55->83 55->85 55->86 55->87 89 40b83c-40b867 57->89 92 40ba3f-40ba42 58->92 59->62 60->51 60->58 60->61 60->67 60->69 60->71 60->74 60->77 60->79 60->80 60->81 60->83 60->84 61->47 62->73 90 40b820-40b834 63->90 64->51 64->56 64->58 64->60 64->61 64->65 64->66 64->67 64->68 64->69 64->71 64->74 64->75 64->76 64->77 64->79 64->80 64->81 64->82 64->83 64->84 64->85 64->86 64->87 65->51 65->58 65->61 65->69 65->74 65->77 65->79 65->80 65->81 65->84 99 40b99d 66->99 67->51 67->58 67->61 67->69 67->71 67->74 67->77 67->79 67->80 67->81 67->83 67->84 68->87 69->79 70->51 70->58 70->61 70->74 70->77 70->80 70->81 70->84 72->51 72->61 72->74 72->80 72->81 72->84 73->78 74->59 75->66 76->51 76->56 76->58 76->60 76->61 76->67 76->68 76->69 76->71 76->74 76->77 76->79 76->80 76->81 76->83 76->84 76->86 76->87 77->58 78->51 78->56 78->57 78->58 78->60 78->61 78->63 78->64 78->65 78->66 78->67 78->68 78->69 78->70 78->71 78->74 78->75 78->76 78->77 78->79 78->80 78->81 78->82 78->83 78->84 78->85 78->86 78->87 79->83 82->51 82->56 82->58 82->60 82->61 82->65 82->66 82->67 82->68 82->69 82->71 82->74 82->75 82->76 82->77 82->79 82->80 82->81 82->83 82->84 82->85 82->86 82->87 83->92 84->74 85->66 102 40b9c7-40b9d1 86->102 87->56 101 40b870-40b8b6 89->101 90->90 100 40b836-40b839 90->100 92->61 99->76 100->89 101->101 108 40b8b8-40b8d5 101->108 102->51 102->56 102->58 102->60 102->61 102->67 102->68 102->69 102->71 102->74 102->77 102->79 102->80 102->81 102->83 102->84 102->87 108->51 108->56 108->58 108->60 108->61 108->64 108->65 108->66 108->67 108->68 108->69 108->70 108->71 108->74 108->75 108->76 108->77 108->79 108->80 108->81 108->82 108->83 108->84 108->85 108->86 108->87
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
                                                                                                                                                                                                    • API String ID: 0-74227037
                                                                                                                                                                                                    • Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
                                                                                                                                                                                                    • Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84
                                                                                                                                                                                                    Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 149 40aa32-40aa35 150 40aa82 149->150 151 40aa37-40aa5f 149->151 152 40aa60-40aa72 151->152 152->152 153 40aa74-40aa7b 152->153 156 40aa00-40aa12 153->156 156->156 157 40aa14-40aa2e 156->157
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: MO$MO
                                                                                                                                                                                                    • API String ID: 0-3148518880
                                                                                                                                                                                                    • Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                    • Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69
                                                                                                                                                                                                    Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 190 4402c0-4402f2 LdrInitializeThunk
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LdrInitializeThunk.NTDLL(0044316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                    • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                    • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                    Function 00439823 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 159 439823-439843 call 441c40 162 439845-439847 159->162 163 439849-439876 GetUserDefaultUILanguage 159->163 162->163 165 43987b-439889 163->165 165->165 166 43988b-43988e 165->166 167 439890-439893 166->167 168 4398f1-43991f 167->168 169 439895-4398ef 167->169 169->167
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetUserDefaultUILanguage.KERNELBASE ref: 00439849
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DefaultLanguageUser
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 95929093-0
                                                                                                                                                                                                    • Opcode ID: 073064e62519ff9a579f370c810cb79e9028ddc2df4d2d5154c8b9d615f7e12e
                                                                                                                                                                                                    • Instruction ID: e0540df6cb5c427e005fede11a03f79f5d5b6ceaa27f9f8c3f4a3f8ec0325a9a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 073064e62519ff9a579f370c810cb79e9028ddc2df4d2d5154c8b9d615f7e12e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD210B72F056908BD72DCA3D8C913D97A936FDA320F2983EDC169877E4DA784D428701
                                                                                                                                                                                                    Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 170 440260-440271 171 4402a5-4402a6 call 43eb40 170->171 172 440286-440298 call 441850 RtlReAllocateHeap 170->172 173 440278-44027f 170->173 174 44029a-4402a3 call 43eb20 170->174 180 4402ab-4402ae 171->180 181 4402b0-4402b2 172->181 173->171 173->172 174->181 180->181
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B9C7,00000000,00000001), ref: 00440292
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                    • Opcode ID: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
                                                                                                                                                                                                    • Instruction ID: c7e132dbbf166c87dd4ca7ba8e526d96017081e21b1d4d371130b4eff19db060
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3E02B32404310ABD2026F397C06B177674EFC6715F05087AF50156151DB38F811C5DE
                                                                                                                                                                                                    Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 182 43eb40-43eb4c 183 43eb53-43eb54 182->183 184 43eb55-43eb67 call 441850 RtlFreeHeap 182->184
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3298025750-0
                                                                                                                                                                                                    • Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
                                                                                                                                                                                                    • Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8
                                                                                                                                                                                                    Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 187 4404b1-4404c9 GetForegroundWindow call 4421e0 189 4404ce-4404e8 187->189
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 004404BF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ForegroundWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2020703349-0
                                                                                                                                                                                                    • Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
                                                                                                                                                                                                    • Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59
                                                                                                                                                                                                    Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 191 43eb20-43eb37 call 441850 RtlAllocateHeap
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                    • Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
                                                                                                                                                                                                    • Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00423EFF Relevance: 70.4, Strings: 56, Instructions: 350COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
                                                                                                                                                                                                    • API String ID: 0-1862720121
                                                                                                                                                                                                    • Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                    • Instruction ID: 27bd2a0d4c2ee2dbe7fab43400867feab0dee6ac78a78b22b0fd1ff9dbe20428
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45026021D087D989DB22C67C8C483CDBFA11B63324F4843EDD5E86B3D6D6B90946CB66
                                                                                                                                                                                                    Function 0043A4EF Relevance: 54.1, Strings: 43, Instructions: 311COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
                                                                                                                                                                                                    • API String ID: 0-1785674967
                                                                                                                                                                                                    • Opcode ID: 64b6cdda28aa021313f1cbb0850f2494ccdc33704329f9a8e3918c3b304d7149
                                                                                                                                                                                                    • Instruction ID: 5a335782380f72e06434a0b7d1c84293c6c1cbd051fad8399b30b8532d7f13f9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 64b6cdda28aa021313f1cbb0850f2494ccdc33704329f9a8e3918c3b304d7149
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EF170319086E98ADB22C63C8C443DDBFB15B56324F0847D9D0A96B3D2C7794F86CB66
                                                                                                                                                                                                    Function 00439923 Relevance: 50.4, Strings: 40, Instructions: 391COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
                                                                                                                                                                                                    • API String ID: 0-3597792095
                                                                                                                                                                                                    • Opcode ID: 9858d768ba85f4fc7c06e0a387e2414925c75b509ec035ed4b4a87323aee9e67
                                                                                                                                                                                                    • Instruction ID: be7a992d2d4842197a1748c1c2319ac7c28ec811ade833faf29c06d267706092
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9858d768ba85f4fc7c06e0a387e2414925c75b509ec035ed4b4a87323aee9e67
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8224F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66
                                                                                                                                                                                                    Function 0043B870 Relevance: 35.9, APIs: 10, Strings: 10, Instructions: 880memorycomCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
                                                                                                                                                                                                    • SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
                                                                                                                                                                                                    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
                                                                                                                                                                                                    • SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
                                                                                                                                                                                                    • SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
                                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0043BF3E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                                                                                                    • String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
                                                                                                                                                                                                    • API String ID: 65563702-2807872674
                                                                                                                                                                                                    • Opcode ID: e6ecce7c8956681f92dc535f91b381c25ec5d52401f642ed89fa62794539d767
                                                                                                                                                                                                    • Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6ecce7c8956681f92dc535f91b381c25ec5d52401f642ed89fa62794539d767
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96
                                                                                                                                                                                                    Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 00436989
                                                                                                                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 00436999
                                                                                                                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 004369A1
                                                                                                                                                                                                    • GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
                                                                                                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 004369C1
                                                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 004369D0
                                                                                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004369E7
                                                                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
                                                                                                                                                                                                    • String ID: Y
                                                                                                                                                                                                    • API String ID: 1298755333-3233089245
                                                                                                                                                                                                    • Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
                                                                                                                                                                                                    • Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B
                                                                                                                                                                                                    Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                    • String ID: @$B$C$E$F$K$N$O$t${$}
                                                                                                                                                                                                    • API String ID: 2832541153-984153585
                                                                                                                                                                                                    • Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
                                                                                                                                                                                                    • Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB
                                                                                                                                                                                                    Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                    • String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
                                                                                                                                                                                                    • API String ID: 237503144-2846770461
                                                                                                                                                                                                    • Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
                                                                                                                                                                                                    • Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
                                                                                                                                                                                                    • Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46
                                                                                                                                                                                                    Function 00425D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
                                                                                                                                                                                                    • API String ID: 0-2419925205
                                                                                                                                                                                                    • Opcode ID: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
                                                                                                                                                                                                    • Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84
                                                                                                                                                                                                    Function 00419840 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00419CE7
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00419D24
                                                                                                                                                                                                      • Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                    • String ID: ~|$SP$if$pv$tj$vt
                                                                                                                                                                                                    • API String ID: 764372645-1422159894
                                                                                                                                                                                                    • Opcode ID: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
                                                                                                                                                                                                    • Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A
                                                                                                                                                                                                    Function 00417405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 5&'d$O$~
                                                                                                                                                                                                    • API String ID: 0-1622812124
                                                                                                                                                                                                    • Opcode ID: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
                                                                                                                                                                                                    • Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A
                                                                                                                                                                                                    Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                    • String ID: B"@$)RSP$=^"\$`J/H$rp
                                                                                                                                                                                                    • API String ID: 237503144-816972838
                                                                                                                                                                                                    • Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
                                                                                                                                                                                                    • Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94
                                                                                                                                                                                                    Function 00415720 Relevance: 11.8, Strings: 8, Instructions: 1798COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
                                                                                                                                                                                                    • API String ID: 0-3642574725
                                                                                                                                                                                                    • Opcode ID: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
                                                                                                                                                                                                    • Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46
                                                                                                                                                                                                    Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
                                                                                                                                                                                                    • API String ID: 0-102253164
                                                                                                                                                                                                    • Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
                                                                                                                                                                                                    • Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5
                                                                                                                                                                                                    Function 00420D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
                                                                                                                                                                                                    • API String ID: 0-2668584225
                                                                                                                                                                                                    • Opcode ID: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
                                                                                                                                                                                                    • Instruction ID: 1eff8263789fd2a08f3fecf0f268f16acf59bb1ac0ae24da522a1f75b62227ff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28E101756083108BC324CF64C89276BB7F1EFE6314F498A5DE4D69B3A4E3389905CB96
                                                                                                                                                                                                    Function 00427860 Relevance: 10.4, Strings: 8, Instructions: 409COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: J+$JW$]_$bX_^$r}B$+5$/)$3=
                                                                                                                                                                                                    • API String ID: 0-2499027453
                                                                                                                                                                                                    • Opcode ID: 4f300e806615f3e46f25d2dfee94d4050b3e57adbeef3450ddc0df426ccfbfa4
                                                                                                                                                                                                    • Instruction ID: 44c300c69855992b2f16a9d4ad0dfeec6e614c77fc8171f72a5c7ce453eec0d9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f300e806615f3e46f25d2dfee94d4050b3e57adbeef3450ddc0df426ccfbfa4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FD1DEB461C340DFE7249F25E881B6BB7A2FBC6304F94892DF1858B391DB749805CB5A
                                                                                                                                                                                                    Function 0040D545 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
                                                                                                                                                                                                      • Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
                                                                                                                                                                                                      • Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
                                                                                                                                                                                                      • Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
                                                                                                                                                                                                      • Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
                                                                                                                                                                                                      • Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
                                                                                                                                                                                                      • Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
                                                                                                                                                                                                      • Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
                                                                                                                                                                                                      • Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
                                                                                                                                                                                                      • Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A
                                                                                                                                                                                                    • CoUninitialize.OLE32 ref: 0040D555
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
                                                                                                                                                                                                    • String ID: &W-Q$9Y$?C*]$|qay$~wxH
                                                                                                                                                                                                    • API String ID: 3213364925-1959178137
                                                                                                                                                                                                    • Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                    • Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95
                                                                                                                                                                                                    Function 004186FC Relevance: 8.5, Strings: 6, Instructions: 1000COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: +$<$H)G+$NmNo$]a_c$tu
                                                                                                                                                                                                    • API String ID: 0-4096164410
                                                                                                                                                                                                    • Opcode ID: 6d71389cbb69697272ef7968fa8146cab96ec6b278bf575547bf9789760e162a
                                                                                                                                                                                                    • Instruction ID: c7a3f77f71ded0b9311dc6516a729683f4fb7c759b6558f4b3eb03d829b5ec1a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d71389cbb69697272ef7968fa8146cab96ec6b278bf575547bf9789760e162a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 925216741093509FD724CF28C8917ABB7E1FF86314F184A6DE4D68B391DB38A845CB9A
                                                                                                                                                                                                    Function 0040AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 8)*6$8)*6$:33F$Ds$]f$}v
                                                                                                                                                                                                    • API String ID: 0-771823803
                                                                                                                                                                                                    • Opcode ID: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
                                                                                                                                                                                                    • Instruction ID: 415c6ff438417329eae15ed8e7d658c137838348542c9c9b1d71c747cb23f456
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88B1F67520C3408BD324CF6884546AFBBE1EFD2304F18896DE8D56B391D779890ACB9E
                                                                                                                                                                                                    Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: )RSP$=^"\$B:$C@$K3$bX_^
                                                                                                                                                                                                    • API String ID: 0-3030200349
                                                                                                                                                                                                    • Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
                                                                                                                                                                                                    • Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91
                                                                                                                                                                                                    Function 0043F150 Relevance: 6.8, Strings: 5, Instructions: 524COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID: S"(w$S"(w$d5fg$d5fg$f
                                                                                                                                                                                                    • API String ID: 2994545307-2961185688
                                                                                                                                                                                                    • Opcode ID: deb92bf670ae709ad561b25b35214b4440f864299bd2f8ca6b994e53228b85f7
                                                                                                                                                                                                    • Instruction ID: d96f39f5747abd94facca9cdfd6dc8715fedad9b00cb7f1fec3a1bbed5632043
                                                                                                                                                                                                    • Opcode Fuzzy Hash: deb92bf670ae709ad561b25b35214b4440f864299bd2f8ca6b994e53228b85f7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E812C575A093519FC724CF18C880B2BB7E1AFC9314F18963EE8A4573A1D775DC098B9A
                                                                                                                                                                                                    Function 00428437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: "#$H}}C$J'N!$LMR|$vu~r
                                                                                                                                                                                                    • API String ID: 0-1530353048
                                                                                                                                                                                                    • Opcode ID: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
                                                                                                                                                                                                    • Instruction ID: 7cb9c3f936be8fd3a75d1e4abfb2bd6291e29c03686ec294c1ddfd7f13708a2f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0DE16CB5608351CFC7108F24A84126FB7E1AF96308F58487EE8C597342DB39DC05CB5A
                                                                                                                                                                                                    Function 004042B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: )$)$IDAT$IEND$IHDR
                                                                                                                                                                                                    • API String ID: 0-3469842109
                                                                                                                                                                                                    • Opcode ID: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
                                                                                                                                                                                                    • Instruction ID: 257f26cc5f2a74aac9bf87ca9c2577b9cb81d69ed2dc1e03b5bd0bdbb9992778
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C302E2B46083848FD704CF29D89176ABBE1EBC6304F14853EEA859B3D1D379D909CB96
                                                                                                                                                                                                    Function 004092A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: !oW1$#"2.$C$P$RRP\
                                                                                                                                                                                                    • API String ID: 0-2182630447
                                                                                                                                                                                                    • Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                    • Instruction ID: 099b8e97d4c783248d299f08155666f1876e613e1bac2d45a50adfc1c6749069
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8C1167221C3918BD3258F29D49076BBFE2AFD3304F18896DE4D44B3C6D679890AC796
                                                                                                                                                                                                    Function 00429FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: ,fbV$d~`}$lvhu$ooKv$sf
                                                                                                                                                                                                    • API String ID: 0-4157365443
                                                                                                                                                                                                    • Opcode ID: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
                                                                                                                                                                                                    • Instruction ID: aaedd27545ab9ed709b9694aed24c663919bae5b675873c34d327438eaef385a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14E139B15483518FD714CF24D8817ABB7E2AFD1304F48896DE9D587382E679E908C78B
                                                                                                                                                                                                    Function 00409790 Relevance: 5.4, Strings: 4, Instructions: 415COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: *+$kh$nz${u
                                                                                                                                                                                                    • API String ID: 0-424779605
                                                                                                                                                                                                    • Opcode ID: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
                                                                                                                                                                                                    • Instruction ID: 1b29a9faac5300f3ffc5f62fe3d46617b85d137f0c3ce0abae63967b27c05819
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2AD103716087508BD724DF35C851BABBBE2EFC1318F18896DE4D59B392D638C809CB46
                                                                                                                                                                                                    Function 0042FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: BVAI$_Pna$mc$t
                                                                                                                                                                                                    • API String ID: 0-1770441902
                                                                                                                                                                                                    • Opcode ID: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
                                                                                                                                                                                                    • Instruction ID: 048c6723a0782cba0ed5f5bfde42b0dc355c8231af3653691a455654dcaa2d5e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 03A1C37050C3D18AE739CF2594103ABBBE1AFD7304F58897ED0D997382DB79814A8B5A
                                                                                                                                                                                                    Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 0$8<j?$D$4b
                                                                                                                                                                                                    • API String ID: 0-1320392364
                                                                                                                                                                                                    • Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                    • Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A
                                                                                                                                                                                                    Function 0042A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: v$v$bt$zi
                                                                                                                                                                                                    • API String ID: 0-1945541540
                                                                                                                                                                                                    • Opcode ID: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
                                                                                                                                                                                                    • Instruction ID: bba7ce1cbd9d7b5964ace128991244c7d88d52c60c2cfa081a52f8c92ce1e01e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48D1687260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60ACB86
                                                                                                                                                                                                    Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 'P0V$,D,J$9HiN$WT
                                                                                                                                                                                                    • API String ID: 0-3770969982
                                                                                                                                                                                                    • Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
                                                                                                                                                                                                    • Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86
                                                                                                                                                                                                    Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (ijkdefgau`c$au`c$defgau`c
                                                                                                                                                                                                    • API String ID: 0-3415814675
                                                                                                                                                                                                    • Opcode ID: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
                                                                                                                                                                                                    • Instruction ID: e077c08026441789f2384525beb931856e433a8fb10ce9bf48ff95afe867dbef
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8D10FB16083509FC714DF28C891B6BBBE1EFC5318F18892DE9858B391E7B9D805CB56
                                                                                                                                                                                                    Function 00434CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: $$.$K
                                                                                                                                                                                                    • API String ID: 0-4278605028
                                                                                                                                                                                                    • Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                    • Instruction ID: 6a15d43e6d9dc7541644536baa1fca88b34eed3a23bb6af0385b7f8a4183f52c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69029E71614BC08BE3158F3DC891392BFE2AB56304F1CC9AED4DACB787C229E5458B65
                                                                                                                                                                                                    Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 8<j?$D$4b
                                                                                                                                                                                                    • API String ID: 0-2390459867
                                                                                                                                                                                                    • Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                    • Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A
                                                                                                                                                                                                    Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 8<j?$D$4b
                                                                                                                                                                                                    • API String ID: 0-2390459867
                                                                                                                                                                                                    • Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                    • Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A
                                                                                                                                                                                                    Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: #=0$Z$ut
                                                                                                                                                                                                    • API String ID: 0-1971374411
                                                                                                                                                                                                    • Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                    • Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
                                                                                                                                                                                                    • Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756
                                                                                                                                                                                                    Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 8<j?$D$4b
                                                                                                                                                                                                    • API String ID: 0-2390459867
                                                                                                                                                                                                    • Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                    • Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A
                                                                                                                                                                                                    Function 00442D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID: D`a&$NMNO$bX_^
                                                                                                                                                                                                    • API String ID: 2994545307-620122162
                                                                                                                                                                                                    • Opcode ID: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
                                                                                                                                                                                                    • Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759
                                                                                                                                                                                                    Function 0041825B Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: )$7$gfff
                                                                                                                                                                                                    • API String ID: 0-3859371245
                                                                                                                                                                                                    • Opcode ID: efcf1df4711dd3b4980222b1e3f150a22642c4af62dee3075cfc2de176e6feb6
                                                                                                                                                                                                    • Instruction ID: 9f03ba7914f0360cb7709cea8ad3b28f347f0d2189de7c473bd193f5a0b7fd0c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: efcf1df4711dd3b4980222b1e3f150a22642c4af62dee3075cfc2de176e6feb6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4812572A142118BD324CF28DC417AB77E2EBC8314F18C92ED985DB395EB3CD8468785
                                                                                                                                                                                                    Function 00427133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: FOOE$KGFU$UUQg
                                                                                                                                                                                                    • API String ID: 0-2281124432
                                                                                                                                                                                                    • Opcode ID: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
                                                                                                                                                                                                    • Instruction ID: e3d0f05a3102c402a5be3d16b6d50dde008b8d5973f854c9b7a8b98ef3316d4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A619D72B49262CFD710CBA4D8402AAF7A2EF55310B5D42ABD8558B382E33CDD12D3A5
                                                                                                                                                                                                    Function 0041AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 5230$I`af$t]ae
                                                                                                                                                                                                    • API String ID: 0-812676372
                                                                                                                                                                                                    • Opcode ID: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
                                                                                                                                                                                                    • Instruction ID: cc3bff843b66776ddd05c04f0bda8cfb631fd3a3b5e3538274f97fe5caba7e22
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7515972A15B804FD738CF66C891767BBE3ABA5304F19896DC1C287695DABCA405C704
                                                                                                                                                                                                    Function 0041DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 1$5230$A
                                                                                                                                                                                                    • API String ID: 0-2921844354
                                                                                                                                                                                                    • Opcode ID: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
                                                                                                                                                                                                    • Instruction ID: e76a71f95e24524307293e01d01a6f58a23ad2f1a40c0433447d02162c8ae966
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8416972A5C3405AE324AE65CC827ABB6D3EBD1324F18C93EF1D9472C5E9F848428316
                                                                                                                                                                                                    Function 00414C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: NP,?$UA
                                                                                                                                                                                                    • API String ID: 0-2573221895
                                                                                                                                                                                                    • Opcode ID: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
                                                                                                                                                                                                    • Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789
                                                                                                                                                                                                    Function 0041F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 9B$B
                                                                                                                                                                                                    • API String ID: 0-4208784936
                                                                                                                                                                                                    • Opcode ID: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
                                                                                                                                                                                                    • Instruction ID: b8962ee0846928653caa32ab1d9872d6313577c24d17d84896ac92dc99d0ed25
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF72B1B1619F808ED329CF3C8805397BFD6AB5A324F188B5EA0FA877D2C77561018756
                                                                                                                                                                                                    Function 00404DC0 Relevance: 3.3, Strings: 2, Instructions: 792COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 0$8
                                                                                                                                                                                                    • API String ID: 0-46163386
                                                                                                                                                                                                    • Opcode ID: 9612933fc297b7a00c689e7fbac69d4004b63af12444fb0bab41654d38c377b2
                                                                                                                                                                                                    • Instruction ID: e9fa4f5d571cc9b4581d9cfd2bfe47746d9f72a1d82526b1dd5866670584724d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9612933fc297b7a00c689e7fbac69d4004b63af12444fb0bab41654d38c377b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78720071508740AFD710CF18C884BABBBE1EB89314F04892EF9999B391D379D958CF96
                                                                                                                                                                                                    Function 0042B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: {wBy$?;;
                                                                                                                                                                                                    • API String ID: 0-3800777323
                                                                                                                                                                                                    • Opcode ID: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
                                                                                                                                                                                                    • Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A
                                                                                                                                                                                                    Function 00431E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: nz$nz
                                                                                                                                                                                                    • API String ID: 0-4002586851
                                                                                                                                                                                                    • Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                    • Instruction ID: a3c1cfee1f99e453375e064e447a228442ae2f14524e15aa7be5cf63e3ec65e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACE11872608B808FD315CA3CC891396FFE2AFDA314F1D866DC5EA8B392D675A406C715
                                                                                                                                                                                                    Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: o~$yr
                                                                                                                                                                                                    • API String ID: 0-1013308823
                                                                                                                                                                                                    • Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
                                                                                                                                                                                                    • Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786
                                                                                                                                                                                                    Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: :7$%$:7$%
                                                                                                                                                                                                    • API String ID: 0-2391988857
                                                                                                                                                                                                    • Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
                                                                                                                                                                                                    • Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82
                                                                                                                                                                                                    Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 7&'$$vA\
                                                                                                                                                                                                    • API String ID: 0-2621209329
                                                                                                                                                                                                    • Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                    • Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C
                                                                                                                                                                                                    Function 0041194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlExpandEnvironmentStrings.NTDLL ref: 00411D64
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 237503144-0
                                                                                                                                                                                                    • Opcode ID: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
                                                                                                                                                                                                    • Instruction ID: a8cfc5bf14821c73dd49e5f1522f5c4ec20a02328b59693b871348f0b0df5eb8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4420A71A04B408FD714DF38D9813A6BBE1AF95314F188A3ED5EB8B3D2D639A446C706
                                                                                                                                                                                                    Function 0043CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: /p
                                                                                                                                                                                                    • API String ID: 0-62938030
                                                                                                                                                                                                    • Opcode ID: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
                                                                                                                                                                                                    • Instruction ID: ba8b9978e2f20e60afdbbdaba48a15688935c3ff76d45a9363d37c1b9ca99bef
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C32003AA18351CBD7049F39D81226BB7E1FF9A320F19887ED8C183291E779C955C786
                                                                                                                                                                                                    Function 00437B69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2936123098-0
                                                                                                                                                                                                    • Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                    • Instruction ID: c3200330e68ce6aff19a63fed1a4000c560c1f69ed3aeb6105e6dfa3e47a6751
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C91C3B1E042548FCB18CF6CC89179EBBF2AF89310F2982ADD855AB391D7759C01CB91
                                                                                                                                                                                                    Function 00432426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: J
                                                                                                                                                                                                    • API String ID: 0-1141589763
                                                                                                                                                                                                    • Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                    • Instruction ID: fda16036ad69fd6001319f3414ba3134900024cf57a0a68240a2308677c6b07d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82127D71609AC18FE3158B38C591392BFE1AB66304F1CC9AEC4EACB387D63AD5068755
                                                                                                                                                                                                    Function 004374AB Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2936123098-0
                                                                                                                                                                                                    • Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                    • Instruction ID: 45239876aaa66c970168bcac432cbab02119562676560ecae2c3189c67bbcca7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6571C7B1E046508FC718CF6CC851359BFF2AB99314F2982ADD8999F3D2D6759C06CB81
                                                                                                                                                                                                    Function 00435D13 Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2525500382-0
                                                                                                                                                                                                    • Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
                                                                                                                                                                                                    • Instruction ID: f2a30e19a756ef2febaf58aa14edd62971e43cb539abc4116fa3d4166735a6c9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51913A21208BC28ED3268B3C88486157F915B67228F2C87DCE0FA8F7E7C6568107C366
                                                                                                                                                                                                    Function 0043443D Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2525500382-0
                                                                                                                                                                                                    • Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                    • Instruction ID: 615ca32909d59e4e98a0e547278d02967b49bf7f3b148c397c41720c4b96474d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB912C11208BC28EC326CA3C88586557F921BA7228F2D87DDD0FA8F7D7C7669507C766
                                                                                                                                                                                                    Function 00422380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: :;
                                                                                                                                                                                                    • API String ID: 0-3581617570
                                                                                                                                                                                                    • Opcode ID: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
                                                                                                                                                                                                    • Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A
                                                                                                                                                                                                    Function 0043C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: NP,?
                                                                                                                                                                                                    • API String ID: 0-3110377521
                                                                                                                                                                                                    • Opcode ID: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
                                                                                                                                                                                                    • Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799
                                                                                                                                                                                                    Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: ''
                                                                                                                                                                                                    • API String ID: 0-694448769
                                                                                                                                                                                                    • Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
                                                                                                                                                                                                    • Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A
                                                                                                                                                                                                    Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: *+
                                                                                                                                                                                                    • API String ID: 0-2181965719
                                                                                                                                                                                                    • Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
                                                                                                                                                                                                    • Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A
                                                                                                                                                                                                    Function 0040DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: UXY^
                                                                                                                                                                                                    • API String ID: 0-1486013802
                                                                                                                                                                                                    • Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                    • Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95
                                                                                                                                                                                                    Function 00442470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID: _\]R
                                                                                                                                                                                                    • API String ID: 2994545307-1576797437
                                                                                                                                                                                                    • Opcode ID: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
                                                                                                                                                                                                    • Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A
                                                                                                                                                                                                    Function 00427F30 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2994545307-3019521637
                                                                                                                                                                                                    • Opcode ID: 862311005c7391fdfde23addbd4ed3329e2a257a31929c347f63ca686a793f95
                                                                                                                                                                                                    • Instruction ID: 7661637dc5d8e8a5c488f056d59cc6aa38c937314abadac712079a8ab4c4f304
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 862311005c7391fdfde23addbd4ed3329e2a257a31929c347f63ca686a793f95
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 308157717093209BD7149B25AC92B3F73A1EF81314F59862EE985573C1EB3C9C1A839A
                                                                                                                                                                                                    Function 00433930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                                    • Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                    • Instruction ID: ef403fb1259512c9711d70f2e7d5f4cfd006a755ed026aeb3bab0d0ce1423d2c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49816827759AD04BD7289E3C4C6127ABE830BD6230F2DD77EB5F68B3E2D56889018345
                                                                                                                                                                                                    Function 004427B0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: =^"\
                                                                                                                                                                                                    • API String ID: 0-2152245029
                                                                                                                                                                                                    • Opcode ID: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
                                                                                                                                                                                                    • Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A
                                                                                                                                                                                                    Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                                    • API String ID: 0-123907689
                                                                                                                                                                                                    • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                    • Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A
                                                                                                                                                                                                    Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: _;=8
                                                                                                                                                                                                    • API String ID: 0-3640539833
                                                                                                                                                                                                    • Opcode ID: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
                                                                                                                                                                                                    • Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5
                                                                                                                                                                                                    Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: }I\
                                                                                                                                                                                                    • API String ID: 0-3759065986
                                                                                                                                                                                                    • Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                    • Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
                                                                                                                                                                                                    • Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85
                                                                                                                                                                                                    Function 00402EF0 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                    • Instruction ID: f14b1a32a054cc5d02357b16e4139c05c7a1a12d214dcc5fef3fcda50377de84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C52F2715083458FCB14CF24C0806AABFE1BF89314F198A7EF8996B391D779DA49CB85
                                                                                                                                                                                                    Function 00406850 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
                                                                                                                                                                                                    • Instruction ID: 65e2e910a3c29fe674c350ea84f17f1873166e83f436a48a2f56d7b4a0c34cae
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7652E270A08B848FE731DB24C4847A7BBE1EB52310F15483ED5EB167C2D37DA9958B4A
                                                                                                                                                                                                    Function 0043080E Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                    • Instruction ID: 7a46f96e6aa3aa7fe73ff395c1311c5ab64b68b87e261d37d1a00d802d05be89
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9942B4B0505B809FD315CF39C996793BFE1AB56314F18CA9ED4EE8B382C2399445CB91
                                                                                                                                                                                                    Function 00407620 Relevance: .6, Instructions: 612COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                    • Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87
                                                                                                                                                                                                    Function 00403900 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
                                                                                                                                                                                                    • Instruction ID: 8ec60f5116ed2b9ea6bd41125fce4102d17c63a0885b3531693fd8b8e290e5dc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09322370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18
                                                                                                                                                                                                    Function 00426C76 Relevance: .6, Instructions: 581COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
                                                                                                                                                                                                    • Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54
                                                                                                                                                                                                    Function 00441B20 Relevance: .5, Instructions: 485COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
                                                                                                                                                                                                    • Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45
                                                                                                                                                                                                    Function 0040E9B0 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                    • Instruction ID: 0d842de8c269587a107e17bcba800491c000644a8f7bd6d00a783dd33ebb532c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D123CF0900B00AFC360DF39D946797BFE8EB46360F144A2EE5EE97281D73561158BA6
                                                                                                                                                                                                    Function 00405AB0 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
                                                                                                                                                                                                    • Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96
                                                                                                                                                                                                    Function 00441BB0 Relevance: .4, Instructions: 434COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
                                                                                                                                                                                                    • Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45
                                                                                                                                                                                                    Function 00441C40 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
                                                                                                                                                                                                    • Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46
                                                                                                                                                                                                    Function 0041D400 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
                                                                                                                                                                                                    • Instruction ID: 381d8ba9b41755d1dc6d15d311edfbcab53db212d726a0c48d74eb4341d637bc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63C146B5908300AFD7109F24DC81B9BBBE2BFD5354F148A2EF4E8932A1D77998458B46
                                                                                                                                                                                                    Function 00432B24 Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                    • Instruction ID: 1ceb5ad02d8bbd155c1732c87becb70ba2bb68f476a2c3c7809d4ed59241557d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4CF13B72605B808FD315CB3CC8513A6BFE2AF9A314F1C866DD1EB8B392D679A805C715
                                                                                                                                                                                                    Function 004354C4 Relevance: .4, Instructions: 379COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                    • Instruction ID: 3f1c9d1a024df14266348ce370e510d7f88b70138a1f1607deade05ec74f5600
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DF19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55
                                                                                                                                                                                                    Function 004121DB Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
                                                                                                                                                                                                    • Instruction ID: d9e51bed8acac8e2edf38fb82beeca54912ebc64a1188df36e5052ebbd943c0e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3C117B5604B408FC7109F38D5D13A6BBE1AF55314F18893ED4EBCB382E679A456CB06
                                                                                                                                                                                                    Function 0041D0C0 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
                                                                                                                                                                                                    • Instruction ID: caf67132f2853a10be2cec12a01a7e8acbb33fc6e304049243772e7507394de4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36913B72A082614BC715CE28C89169FBBE1AB85324F19867DECF95B3D2C238DC45D7D2
                                                                                                                                                                                                    Function 004063C0 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                    • Instruction ID: b5a54add573a1b485231af3f9cb3d4e6e0a3023674c66bc51678a471f8a90890
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35C15BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46
                                                                                                                                                                                                    Function 00428B67 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
                                                                                                                                                                                                    • Instruction ID: bb3a0c3427b6ad34a24ef151da1f5bba878f0071efde783ca6760e8be5e6876f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BFA122356087A1CFD7248F38A85136E77A2FF8A320F09866DE5A5873D1DB34AD10CB85
                                                                                                                                                                                                    Function 00408360 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                    • Instruction ID: e04948112db42d3daa275aef66cee61d38744a578a2e7a742b1881ec96335045
                                                                                                                                                                                                    • Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A915B31A083564BC3119E24CA8425BBBD2ABC1310F19CA3ED8D1A73E9EE7DDC458BC5
                                                                                                                                                                                                    Function 00427070 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
                                                                                                                                                                                                    • Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44
                                                                                                                                                                                                    Function 00442A60 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: bb21838f3ad10fc43b638198dd1134618e6e0b80ebbda8d61bfab39d96dcf556
                                                                                                                                                                                                    • Instruction ID: 6a93b08fa6992d126e12a7bd6c306b93c6ef3d764d3eda4b37502e868ad0b706
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb21838f3ad10fc43b638198dd1134618e6e0b80ebbda8d61bfab39d96dcf556
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A581F0342043169FD724DF28C980A6BB3E1EF89324F58862DF9958B3A1E774EC11CB49
                                                                                                                                                                                                    Function 0043F820 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
                                                                                                                                                                                                    • Instruction ID: fae485aafa8165bbfa862cfdd16e6316f883ffda102aca194f523248728328e0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D381B47160C3828FC319DE28C49062BBBE2AFC9314F198A7EE4D58B391D735D84AC756
                                                                                                                                                                                                    Function 00429ADE Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
                                                                                                                                                                                                    • Instruction ID: c17fc45f9444ad44d9f96848d075c221a78d48c9dc0fb9f00e6e29a18ae657e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C97167B2A087248FD7088F29D85133BB6D2ABC5314F49467DE8969F392DB349C01CB86
                                                                                                                                                                                                    Function 0042DBF0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                    • Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B
                                                                                                                                                                                                    Function 0040CFEC Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                    • Instruction ID: 6f13f5d4f3e8c77ab841d9a888d2aead65439f765ee3ddc41d93c1b162d9100a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B516A726057008FD329CF38CC92B577BA3AFD6314B1D866DC4964B796EB39A406C744
                                                                                                                                                                                                    Function 0041DCB0 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                    • Instruction ID: 4a8760de8a520384406f5fad9824bc60f729446c1310b2ee7c15e8b6ebb7b759
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5616E37B49A8047E72C8D3C5C5129ABA834BD7330B2DC77EE5B58B3E5D9A94C424345
                                                                                                                                                                                                    Function 0041A690 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                    • Instruction ID: b37770cdf87477bf2dfa5a22c66fb25a4c567325bff618d86bd3e0eb2f8cdddf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8610737B668904BD7249A3C4C112EA6A130BD733473DC376E974CB3E6C62A8C564396
                                                                                                                                                                                                    Function 0042BBA0 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                    • Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789
                                                                                                                                                                                                    Function 0041B484 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
                                                                                                                                                                                                    • Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754
                                                                                                                                                                                                    Function 0040CA62 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                    • Instruction ID: 618579726118e679aa1534d0b4440190eb114bb965ab7fb83873a39d39203c85
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E5136766083118BC718DF64D89266BB7E2FFD4304F18DA2EE4C69B390DB749801C786
                                                                                                                                                                                                    Function 0041B667 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
                                                                                                                                                                                                    • Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354
                                                                                                                                                                                                    Function 0043ACB0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                    • Instruction ID: 0c6b8ba10c1c17cacf5a651755a68f3586d4d6297ac1e50e8e02080b14342633
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0515DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E987351E379DA088B96
                                                                                                                                                                                                    Function 004418A0 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
                                                                                                                                                                                                    • Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A
                                                                                                                                                                                                    Function 00402210 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                    • Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A
                                                                                                                                                                                                    Function 00436610 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                    • Instruction ID: 54c58fb9e562efe4acf2d46a46492020a6cdaf8e3d7bcc25f04f53f15c8a0988
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 435169377499A15BD7288A3C5C222667A830BEB238F3ED76FE4B1CB3E5D55C88024345
                                                                                                                                                                                                    Function 0043CB40 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                    • Instruction ID: 871487b85ee081f61f96075d83eee7838f6093090311bf861c268766400ad4d7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6751E573E159304BD7249D7D9C8125BBA926B86330F2A833AED75EB3D0D6389D0143C5
                                                                                                                                                                                                    Function 00441FB0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
                                                                                                                                                                                                    • Instruction ID: 6705176f642ca22527a1125600c687b766c57a0aa9d8b170dddf9af2695ae971
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0251133421E340DBD3888F38D9A066BB7E2FB86315F48897DE4C687291D335D85ACB45
                                                                                                                                                                                                    Function 0043C9A0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                    • Opcode ID: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
                                                                                                                                                                                                    • Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A
                                                                                                                                                                                                    Function 0040A05C Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                    • Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4
                                                                                                                                                                                                    Function 0041B243 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                    • Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58
                                                                                                                                                                                                    Function 0041AB2A Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
                                                                                                                                                                                                    • Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769
                                                                                                                                                                                                    Function 00402B20 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                    • Instruction ID: 049965bb47efd5a04a2fd3c18b74188d46e65301c4fa73dca4455e1bd43b6f7b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9921D4382581B10BD7188F3C98F4577F7A0A787312729027FEBC2933D2D668A9559668
                                                                                                                                                                                                    Function 00438520 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                    • Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359
                                                                                                                                                                                                    Function 0042BB00 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
                                                                                                                                                                                                    • Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9
                                                                                                                                                                                                    Function 0041B184 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                    • Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44
                                                                                                                                                                                                    Function 0041B173 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                    • Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9
                                                                                                                                                                                                    Function 0041B882 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                    • Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9
                                                                                                                                                                                                    Function 0041BB21 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
                                                                                                                                                                                                    • Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9
                                                                                                                                                                                                    Function 0040C3EC Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
                                                                                                                                                                                                    • Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7
                                                                                                                                                                                                    Function 0041AEFF Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                    • Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9
                                                                                                                                                                                                    Function 0040C334 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                    • Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A
                                                                                                                                                                                                    Function 0043F0E0 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                    • Opcode ID: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
                                                                                                                                                                                                    • Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9
                                                                                                                                                                                                    Function 00418672 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
                                                                                                                                                                                                    • Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E
                                                                                                                                                                                                    Function 00409E09 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                    • Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC
                                                                                                                                                                                                    Function 0040CEC7 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                    • Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D
                                                                                                                                                                                                    Function 0042B652 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
                                                                                                                                                                                                    • Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F
                                                                                                                                                                                                    Function 0041F2A0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                    • Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C
                                                                                                                                                                                                    Function 0040D334 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000004.00000002.1966795069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                    • Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D