Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
N65c8rwdal.exe

Overview

General Information

Sample name:N65c8rwdal.exe
renamed because original name is a hash value
Original sample name:660b29ad23f61f5565629f60cf59f848fc54c2c6ebe29883976468232a693745.exe
Analysis ID:1524038
MD5:ce773611c449cfa1f292fc805e532d2f
SHA1:e566020de1c8557da9885dd36a6b7223c3567772
SHA256:660b29ad23f61f5565629f60cf59f848fc54c2c6ebe29883976468232a693745
Tags:exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • N65c8rwdal.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\N65c8rwdal.exe" MD5: CE773611C449CFA1F292FC805E532D2F)
    • BitLockerToGo.exe (PID: 2472 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["relaxatinownio.shop", "tryyudjasudqo.shop", "keennylrwmqlw.shop", "tesecuuweqo.shop", "eemmbryequo.shop", "licenseodqwmqn.shop", "tendencctywop.shop", "reggwardssdqw.shop"], "Build id": "c2CoW0--1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
N65c8rwdal.exeJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2108992608.000000C00080E000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
    • 0x0:$x1: 4d5a9000030000000
    00000000.00000000.1685275237.00007FF730241000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
      00000000.00000002.2111216784.00007FF730241000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
        Process Memory Space: N65c8rwdal.exe PID: 1848JoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:55.706081+020020546531A Network Trojan was detected192.168.2.453478172.67.209.193443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:55.706081+020020498361A Network Trojan was detected192.168.2.453478172.67.209.193443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.109771+020020558791Domain Observed Used for C2 Detected192.168.2.4591551.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.046046+020020558811Domain Observed Used for C2 Detected192.168.2.4501011.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.058384+020020558831Domain Observed Used for C2 Detected192.168.2.4513071.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.096189+020020558851Domain Observed Used for C2 Detected192.168.2.4524541.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.084026+020020558871Domain Observed Used for C2 Detected192.168.2.4544791.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.034351+020020558911Domain Observed Used for C2 Detected192.168.2.4511811.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.071375+020020558931Domain Observed Used for C2 Detected192.168.2.4642811.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T14:57:53.120977+020020558951Domain Observed Used for C2 Detected192.168.2.4572131.1.1.153UDP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
            Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
            Found malware configuration
            Source: 0.2.N65c8rwdal.exe.c000554000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["relaxatinownio.shop", "tryyudjasudqo.shop", "keennylrwmqlw.shop", "tesecuuweqo.shop", "eemmbryequo.shop", "licenseodqwmqn.shop", "tendencctywop.shop", "reggwardssdqw.shop"], "Build id": "c2CoW0--1"}
            Multi AV Scanner detection for submitted file
            Source: N65c8rwdal.exeReversingLabs: Detection: 24%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: tryyudjasudqo.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: eemmbryequo.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: reggwardssdqw.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: relaxatinownio.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: tesecuuweqo.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: tendencctywop.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: licenseodqwmqn.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: keennylrwmqlw.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: tendencctywop.shop
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString decryptor: c2CoW0--1
            Source: N65c8rwdal.exeStatic PE information: certificate valid
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:53475 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.4:53478 version: TLS 1.2
            Source: N65c8rwdal.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_02DBF0CD
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor ebp, ebp4_2_02D907BA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_02D9DAD1
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]4_2_02DBCAF0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_02DBCAF0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]4_2_02D84AB0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor esi, esi4_2_02DA7A67
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]4_2_02D90A10
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+000000C0h]4_2_02D91BDF
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]4_2_02D91BDF
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h4_2_02DA6390
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]4_2_02D85BA0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi], 00000000h4_2_02D9332C
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_02DABB20
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_02DA28F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [ebx]4_2_02DC28B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]4_2_02D87040
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+54h]4_2_02DAA067
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ecx-01h]4_2_02D81000
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx4_2_02D8F1FC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_02D92998
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]4_2_02DBA180
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, ecx4_2_02D9D9BE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_02DC2150
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh4_2_02DA3108
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax4_2_02DA3108
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi], 00000000h4_2_02D8E965
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh4_2_02DA3108
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax4_2_02DA3108
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h4_2_02D8F134
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h4_2_02D94921
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h4_2_02DA2690
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h4_2_02D996B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]4_2_02DA3E59
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push 00000000h4_2_02D83660
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_02DB4E60
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]4_2_02DB8630
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h4_2_02DB8630
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h4_2_02DABE20
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_02DBD7E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+000000C0h]4_2_02D9279A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+44h]4_2_02D92F92
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]4_2_02DC1790
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor esi, esi4_2_02DA7FB0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor esi, esi4_2_02DA7750
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+44h]4_2_02D92C84
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edx, dword ptr [eax+01h]4_2_02DAB4BE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebx+01h], 00000000h4_2_02DA35E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]4_2_02D8DDB0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_02DA3D0F
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], cl4_2_02DAC500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+68h]4_2_02DAC500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+000000D4h]4_2_02DAC500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edx], al4_2_02DAC500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al4_2_02DAC500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+34h]4_2_02DAC500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl4_2_02DAC500

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2055887 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop) : 192.168.2.4:54479 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055881 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop) : 192.168.2.4:50101 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055879 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop) : 192.168.2.4:59155 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055895 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop) : 192.168.2.4:57213 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055891 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop) : 192.168.2.4:51181 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055893 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop) : 192.168.2.4:64281 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055883 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop) : 192.168.2.4:51307 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055885 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop) : 192.168.2.4:52454 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:53478 -> 172.67.209.193:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:53478 -> 172.67.209.193:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: relaxatinownio.shop
            Source: Malware configuration extractorURLs: tryyudjasudqo.shop
            Source: Malware configuration extractorURLs: keennylrwmqlw.shop
            Source: Malware configuration extractorURLs: tesecuuweqo.shop
            Source: Malware configuration extractorURLs: eemmbryequo.shop
            Source: Malware configuration extractorURLs: licenseodqwmqn.shop
            Source: Malware configuration extractorURLs: tendencctywop.shop
            Source: Malware configuration extractorURLs: reggwardssdqw.shop
            Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
            Source: Joe Sandbox ViewIP Address: 172.67.209.193 172.67.209.193
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
            Source: global trafficDNS traffic detected: DNS query: tendencctywop.shop
            Source: global trafficDNS traffic detected: DNS query: keennylrwmqlw.shop
            Source: global trafficDNS traffic detected: DNS query: licenseodqwmqn.shop
            Source: global trafficDNS traffic detected: DNS query: tesecuuweqo.shop
            Source: global trafficDNS traffic detected: DNS query: relaxatinownio.shop
            Source: global trafficDNS traffic detected: DNS query: reggwardssdqw.shop
            Source: global trafficDNS traffic detected: DNS query: eemmbryequo.shop
            Source: global trafficDNS traffic detected: DNS query: tryyudjasudqo.shop
            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: gravvitywio.store
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
            Source: N65c8rwdal.exeString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
            Source: N65c8rwdal.exeString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
            Source: N65c8rwdal.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
            Source: N65c8rwdal.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
            Source: N65c8rwdal.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
            Source: N65c8rwdal.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
            Source: N65c8rwdal.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
            Source: N65c8rwdal.exeString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
            Source: N65c8rwdal.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
            Source: N65c8rwdal.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
            Source: N65c8rwdal.exeString found in binary or memory: http://subca.ocsp-certum.com02
            Source: N65c8rwdal.exeString found in binary or memory: http://www.certum.pl/CPS0
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
            Source: BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2134186080.0000000003381000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic
            Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
            Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
            Source: N65c8rwdal.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
            Source: N65c8rwdal.exeString found in binary or memory: https://golang.org/doc/faq#nil_errorx509:
            Source: BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/)
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/7
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/G
            Source: BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/api
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/api7
            Source: BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store:443/apifiles/76561199724331900
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
            Source: N65c8rwdal.exeString found in binary or memory: https://management.azure.cominvalid
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
            Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/3y
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
            Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003312000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003312000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/765611997243319001
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
            Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
            Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
            Source: BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tendencctywop.shop/
            Source: N65c8rwdal.exeString found in binary or memory: https://www.certum.pl/CPS0
            Source: N65c8rwdal.exeString found in binary or memory: https://www.globalsign.com/repository/0
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
            Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
            Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
            Source: unknownNetwork traffic detected: HTTP traffic on port 53478 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 53475 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53475
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53478
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:53475 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.4:53478 version: TLS 1.2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB2C80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_02DB2C80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB2C80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_02DB2C80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB2DF0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,4_2_02DB2DF0

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.2108992608.000000C00080E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D900A04_2_02D900A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8D1F04_2_02D8D1F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8F9604_2_02D8F960
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9DAD14_2_02D9DAD1
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DAC2C04_2_02DAC2C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D942FE4_2_02D942FE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DBCAF04_2_02DBCAF0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8F2E04_2_02D8F2E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D812E74_2_02D812E7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC22804_2_02DC2280
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC0AAF4_2_02DC0AAF
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA6A504_2_02DA6A50
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC727B4_2_02DC727B
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA7A674_2_02DA7A67
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D90A104_2_02D90A10
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC0A204_2_02DC0A20
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D91BDF4_2_02D91BDF
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8CBF04_2_02D8CBF0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8B3904_2_02D8B390
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC03904_2_02DC0390
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA3B8F4_2_02DA3B8F
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8A3804_2_02D8A380
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D873804_2_02D87380
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA4B804_2_02DA4B80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9B35A4_2_02D9B35A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D913534_2_02D91353
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB73404_2_02DB7340
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA73004_2_02DA7300
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9332C4_2_02D9332C
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA28F04_2_02DA28F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC08B04_2_02DC08B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC28B04_2_02DC28B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB80A74_2_02DB80A7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D998504_2_02D99850
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DAA0674_2_02DAA067
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D810004_2_02D81000
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB89E04_2_02DB89E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D929984_2_02D92998
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D911904_2_02D91190
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9D1A64_2_02D9D1A6
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA395E4_2_02DA395E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9E9204_2_02D9E920
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8BEA04_2_02D8BEA0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA3E594_2_02DA3E59
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D836604_2_02D83660
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D89E3D4_2_02D89E3D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DBFE304_2_02DBFE30
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB86304_2_02DB8630
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC0E304_2_02DC0E30
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D93E284_2_02D93E28
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9A6234_2_02D9A623
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9A6234_2_02D9A623
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB27C04_2_02DB27C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA7FB04_2_02DA7FB0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA77504_2_02DA7750
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA87634_2_02DA8763
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8AF004_2_02D8AF00
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9FCFB4_2_02D9FCFB
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D89C5D4_2_02D89C5D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA34454_2_02DA3445
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC0C104_2_02DC0C10
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D89C0F4_2_02D89C0F
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D9ADCF4_2_02D9ADCF
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D87DC04_2_02D87DC0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DBF5FC4_2_02DBF5FC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA35E04_2_02DA35E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D8DDB04_2_02D8DDB0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC25B04_2_02DC25B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DAB5A24_2_02DAB5A2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA4D504_2_02DA4D50
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DB0D404_2_02DB0D40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DAC5004_2_02DAC500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA85334_2_02DA8533
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC0D204_2_02DC0D20
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02D8CA00 appears 66 times
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02D9A000 appears 144 times
            Source: N65c8rwdal.exeStatic PE information: Number of sections : 12 > 10
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
            Source: N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
            Source: N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
            Source: 00000000.00000002.2108992608.000000C00080E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
            Source: classification engineClassification label: mal93.troj.evad.winEXE@3/0@10/2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DA2690 CoCreateInstance,4_2_02DA2690
            Source: C:\Users\user\Desktop\N65c8rwdal.exeFile created: C:\Users\Public\Libraries\bopdb.scifJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeFile opened: C:\Windows\system32\2e06423a2e6c9ac3677f3fe4a22bb8b5180da5f547edd3e873b22c0fa61b486dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
            Source: N65c8rwdal.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\N65c8rwdal.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: N65c8rwdal.exeReversingLabs: Detection: 24%
            Source: N65c8rwdal.exeString found in binary or memory: net/addrselect.go
            Source: N65c8rwdal.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
            Source: N65c8rwdal.exeString found in binary or memory: HuHatEoCKu/load.go
            Source: C:\Users\user\Desktop\N65c8rwdal.exeFile read: C:\Users\user\Desktop\N65c8rwdal.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\N65c8rwdal.exe "C:\Users\user\Desktop\N65c8rwdal.exe"
            Source: C:\Users\user\Desktop\N65c8rwdal.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
            Source: C:\Users\user\Desktop\N65c8rwdal.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
            Source: N65c8rwdal.exeStatic PE information: certificate valid
            Source: N65c8rwdal.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: N65c8rwdal.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: N65c8rwdal.exeStatic file information: File size 18659064 > 1048576
            Source: N65c8rwdal.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x654e00
            Source: N65c8rwdal.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xabe600
            Source: N65c8rwdal.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmp
            Source: N65c8rwdal.exeStatic PE information: section name: .xdata
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC53C7 push edx; ret 4_2_02DC53C8
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D973B0 push esi; ret 4_2_02D973B2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02D97378 push 0000001Ch; mov dword ptr [esp], esi4_2_02D9737A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC56B0 push esp; retf 4_2_02DC56D8
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DC6F7B push ds; iretd 4_2_02DC6FA1
            Source: C:\Users\user\Desktop\N65c8rwdal.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 2120Thread sleep time: -30000s >= -30000sJump to behavior
            Source: BitLockerToGo.exe, 00000004.00000002.2135824425.00000000032B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
            Source: N65c8rwdal.exe, 00000000.00000002.2109166550.000001CA7E068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4_2_02DBE4E0 LdrInitializeThunk,4_2_02DBE4E0

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\N65c8rwdal.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D80000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\N65c8rwdal.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D80000 value starts with: 4D5AJump to behavior
            LummaC encrypted strings found
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tryyudjasudqo.shop
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: eemmbryequo.shop
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: reggwardssdqw.shop
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: relaxatinownio.shop
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tesecuuweqo.shop
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tendencctywop.shop
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: licenseodqwmqn.shop
            Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keennylrwmqlw.shop
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\N65c8rwdal.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D80000Jump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F29008Jump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeQueries volume information: C:\Users\user\Desktop\N65c8rwdal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\N65c8rwdal.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Go Injector
            Source: Yara matchFile source: N65c8rwdal.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.1685275237.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2111216784.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: N65c8rwdal.exe PID: 1848, type: MEMORYSTR
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Go Injector
            Source: Yara matchFile source: N65c8rwdal.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.1685275237.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2111216784.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: N65c8rwdal.exe PID: 1848, type: MEMORYSTR
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		311
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Screen Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
            Process Injection            		Security Account Manager12
            System Information Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Deobfuscate/Decode Files or Information            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            N65c8rwdal.exe24%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://player.vimeo.com0%URL Reputationsafe
            https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
            https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
            http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
            http://www.certum.pl/CPS00%URL Reputationsafe
            https://steam.tv/0%URL Reputationsafe
            https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
            https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
            http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
            https://store.steampowered.com/points/shop/0%URL Reputationsafe
            https://lv.queniujq.cn0%URL Reputationsafe
            https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
            https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
            https://checkout.steampowered.com/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
            https://store.steampowered.com/;0%URL Reputationsafe
            https://store.steampowered.com/about/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
            https://help.steampowered.com/en/0%URL Reputationsafe
            https://store.steampowered.com/news/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/0%URL Reputationsafe
            http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
            https://recaptcha.net/recaptcha/;0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
            https://store.steampowered.com/stats/0%URL Reputationsafe
            https://medal.tv0%URL Reputationsafe
            https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
            https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
            https://login.steampowered.com/0%URL Reputationsafe
            https://store.steampowered.com/legal/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
            https://recaptcha.net0%URL Reputationsafe
            https://store.steampowered.com/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
            https://www.certum.pl/CPS00%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            steamcommunity.com
            		104.102.49.254
            		truefalse
              		unknown
              gravvitywio.store
              		172.67.209.193
              		truetrue
                		unknown
                tryyudjasudqo.shop
                		unknown
                		unknowntrue
                  		unknown
                  keennylrwmqlw.shop
                  		unknown
                  		unknowntrue
                    		unknown
                    reggwardssdqw.shop
                    		unknown
                    		unknowntrue
                      		unknown
                      tesecuuweqo.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        tendencctywop.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          eemmbryequo.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            licenseodqwmqn.shop
                            		unknown
                            		unknowntrue
                              		unknown
                              relaxatinownio.shop
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                relaxatinownio.shoptrue
                                  		unknown
                                  keennylrwmqlw.shoptrue
                                    		unknown
                                    tendencctywop.shoptrue
                                      		unknown
                                      tryyudjasudqo.shoptrue
                                        		unknown
                                        https://steamcommunity.com/profiles/76561199724331900true
                                        • URL Reputation: malware
                                        		unknown
                                        tesecuuweqo.shoptrue
                                          		unknown
                                          eemmbryequo.shoptrue
                                            		unknown
                                            reggwardssdqw.shoptrue
                                              		unknown
                                              licenseodqwmqn.shoptrue
                                                		unknown
                                                https://gravvitywio.store/apitrue
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://player.vimeo.comBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://golang.org/doc/faq#nil_errorx509:N65c8rwdal.exefalse
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://tendencctywop.shop/BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://github.com/golang/protobuf/issues/1609):N65c8rwdal.exefalse
                                                            		unknown
                                                            https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&amp;l=eBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://www.youtube.comBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://gravvitywio.store/BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://www.google.comBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://s.ytimg.com;BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.certum.pl/CPS0N65c8rwdal.exefalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://steam.tv/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://cevcsca2021.ocsp-certum.com07N65c8rwdal.exefalse
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://gravvitywio.store/)BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wN65c8rwdal.exefalse
                                                                              		unknown
                                                                              https://sketchfab.comBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://gravvitywio.store/7BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://lv.queniujq.cnBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                  • URL Reputation: malware
                                                                                  		unknown
                                                                                  https://www.youtube.com/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&aBitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.google.com/recaptcha/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://checkout.steampowered.com/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://gravvitywio.store:443/apifiles/76561199724331900BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://management.azure.cominvalidN65c8rwdal.exefalse
                                                                                              		unknown
                                                                                              https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://avatars.akamai.steamstaticBitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2134186080.0000000003381000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://store.steampowered.com/;BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://store.steampowered.com/about/BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://help.steampowered.com/en/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://steamcommunity.com/3yBitLockerToGo.exe, 00000004.00000002.2135995706.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://steamcommunity.com/market/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://store.steampowered.com/news/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZKBitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://repository.certum.pl/cevcsca2021.cer0N65c8rwdal.exefalse
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://store.steampowered.com/stats/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://medal.tvBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://gravvitywio.store/GBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://subca.ocsp-certum.com02N65c8rwdal.exefalse
                                                                                                                    		unknown
                                                                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://crl.certum.pl/ctnca2.crl0lN65c8rwdal.exefalse
                                                                                                                        		unknown
                                                                                                                        http://repository.certum.pl/ctnca2.cer09N65c8rwdal.exefalse
                                                                                                                          		unknown
                                                                                                                          https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://login.steampowered.com/BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/legal/BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englBitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://recaptcha.netBitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwBitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://www.certum.pl/CPS0N65c8rwdal.exefalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifBitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            104.102.49.254
                                                                                                                            		steamcommunity.comUnited States
                                                                                                                            		16625AKAMAI-ASUSfalse
                                                                                                                            172.67.209.193
                                                                                                                            		gravvitywio.storeUnited States
                                                                                                                            		13335CLOUDFLARENETUStrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1524038
                                                                                                                            Start date and time:2024-10-02 14:56:18 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 4m 6s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:5
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:N65c8rwdal.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:660b29ad23f61f5565629f60cf59f848fc54c2c6ebe29883976468232a693745.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal93.troj.evad.winEXE@3/0@10/2
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 50%
                                                                                                                            HCA Information:Failed
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Stop behavior analysis, all processes terminated

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Execution Graph export aborted for target N65c8rwdal.exe, PID 1848 because there are no executed function
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • VT rate limit hit for: N65c8rwdal.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            08:57:52API Interceptor2x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • www.valvesoftware.com/legal.htm
                                                                                                                            172.67.209.193BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                              7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                  Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    https://finalstepgetshere.com/uploads/beta111.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        gravvitywio.storeBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 172.67.209.193
                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 104.21.16.12
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 104.21.16.12
                                                                                                                                        b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                        • 104.21.16.12
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 104.21.16.12
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 104.21.16.12
                                                                                                                                        Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 172.67.209.193
                                                                                                                                        https://finalstepgetshere.com/uploads/beta111.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 172.67.209.193
                                                                                                                                        steamcommunity.comBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        https://finalstepgetshere.com/uploads/beta111.zipGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 104.102.49.254

                                                                                                                                        ASNs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        AKAMAI-ASUSBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                        • 96.17.64.189
                                                                                                                                        62-3590.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 96.17.64.189
                                                                                                                                        DV2mrnfX2d.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                        • 23.56.162.185
                                                                                                                                        eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                        • 96.17.64.189
                                                                                                                                        Axactor Microsoft - Introduksjonsm#U00f8te.msgGet hashmaliciousEvilProxyBrowse
                                                                                                                                        • 2.19.126.151
                                                                                                                                        Axactor Microsoft - Introduksjonsm#U00f8te.msgGet hashmaliciousEvilProxyBrowse
                                                                                                                                        • 104.102.21.248
                                                                                                                                        563299efce875400a8d9b44b96597c8e-sample (1).zipGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.118.8.10
                                                                                                                                        CLOUDFLARENETUSBW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 172.67.188.210
                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 172.67.140.92
                                                                                                                                        l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.178.253
                                                                                                                                        z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        • 104.26.12.205
                                                                                                                                        http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.74.221
                                                                                                                                        caZq8MavwF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.178.253
                                                                                                                                        http://freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.26.11.241
                                                                                                                                        72LZTFDM58.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.178.253
                                                                                                                                        https://app.glorify.com/file/1193241?format=90Get hashmaliciousUnknownBrowse
                                                                                                                                        • 188.114.96.3

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        FA_41_09_2024_.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        AMG Cargo Logistic.docxGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193
                                                                                                                                        file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                        • 104.102.49.254
                                                                                                                                        • 172.67.209.193

                                                                                                                                        Dropped Files

                                                                                                                                        No context

                                                                                                                                        Created / dropped Files

                                                                                                                                        No created / dropped files found

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                        Entropy (8bit):5.156563679187176
                                                                                                                                        TrID:
                                                                                                                                        • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                        • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                        File name:N65c8rwdal.exe
                                                                                                                                        File size:18'659'064 bytes
                                                                                                                                        MD5:ce773611c449cfa1f292fc805e532d2f
                                                                                                                                        SHA1:e566020de1c8557da9885dd36a6b7223c3567772
                                                                                                                                        SHA256:660b29ad23f61f5565629f60cf59f848fc54c2c6ebe29883976468232a693745
                                                                                                                                        SHA512:fda38e2d29283def4a22bbe4e0efebdb0c4c67379f948d13974ad798606a9d6c5de0d5497f37e20bc7311d8f67153e1daaae47fe5a129d7fe467c3f8672b33a0
                                                                                                                                        SSDEEP:98304:ulgeEJa0XcEXqcob9U/pdjG6tqKuCWnlfGkEAnVVvOG7C7fRStS/x:ulFSqcobwpdjG6tXKnFGdAnVV2H7Rkax
                                                                                                                                        TLSH:51173943E8A544E5C0ADD574856292667B70BC888B3037E32F60F7693F76BC0AEB9750
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.Ne....................@..............................&...........`... ............................

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x1400014c0
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:true
                                                                                                                                        Imagebase:0x140000000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                        TLS Callbacks:0x4064a6e0, 0x1, 0x4064a6b0, 0x1, 0x4064e150, 0x1
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:6
                                                                                                                                        OS Version Minor:1
                                                                                                                                        File Version Major:6
                                                                                                                                        File Version Minor:1
                                                                                                                                        Subsystem Version Major:6
                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                        Import Hash:c595f1660e1a3c84f4d9b0761d23cd7a

                                                                                                                                        Authenticode Signature

                                                                                                                                        Signature Valid:true
                                                                                                                                        Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                        Signature Validation Error:The operation completed successfully
                                                                                                                                        Error Number:0
                                                                                                                                        Not Before, Not After
                                                                                                                                        • 09/09/2024 10:06:13 09/09/2025 10:06:12
                                                                                                                                        Subject Chain
                                                                                                                                        • CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                                                                                                                        Version:3
                                                                                                                                        Thumbprint MD5:62A1343435FC5131E11FA8C871BB3A1B
                                                                                                                                        Thumbprint SHA-1:A3AFF46C5F8E2A1F750C570698B864E75553E61F
                                                                                                                                        Thumbprint SHA-256:87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
                                                                                                                                        Serial:332576FE101609502C23F70055B4A3BE

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        dec eax
                                                                                                                                        sub esp, 28h
                                                                                                                                        dec eax
                                                                                                                                        mov eax, dword ptr [0117E7F5h]
                                                                                                                                        mov dword ptr [eax], 00000001h
                                                                                                                                        call 00007FE55165E4AFh
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        dec eax
                                                                                                                                        add esp, 28h
                                                                                                                                        ret
                                                                                                                                        nop dword ptr [eax]
                                                                                                                                        dec eax
                                                                                                                                        sub esp, 28h
                                                                                                                                        dec eax
                                                                                                                                        mov eax, dword ptr [0117E7D5h]
                                                                                                                                        mov dword ptr [eax], 00000000h
                                                                                                                                        call 00007FE55165E48Fh
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        dec eax
                                                                                                                                        add esp, 28h
                                                                                                                                        ret
                                                                                                                                        nop dword ptr [eax]
                                                                                                                                        dec eax
                                                                                                                                        sub esp, 28h
                                                                                                                                        call 00007FE551CB27ACh
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        sete al
                                                                                                                                        movzx eax, al
                                                                                                                                        neg eax
                                                                                                                                        dec eax
                                                                                                                                        add esp, 28h
                                                                                                                                        ret
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [00000009h]
                                                                                                                                        jmp 00007FE55165E7C9h
                                                                                                                                        nop dword ptr [eax+00h]
                                                                                                                                        ret
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        nop
                                                                                                                                        jmp dword ptr [eax]
                                                                                                                                        inc edi
                                                                                                                                        outsd
                                                                                                                                        and byte ptr [edx+75h], ah
                                                                                                                                        imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                                                                        and ch, byte ptr [eax+62h]
                                                                                                                                        xor al, 6Ah
                                                                                                                                        cmp byte ptr [edx+47h], dl
                                                                                                                                        push ecx
                                                                                                                                        jp 00007FE55165E838h
                                                                                                                                        insb
                                                                                                                                        jne 00007FE55165E855h
                                                                                                                                        outsd
                                                                                                                                        popad
                                                                                                                                        jnbe 00007FE55165E835h
                                                                                                                                        xor byte ptr [edi+ebp+7Ah], dh
                                                                                                                                        insb
                                                                                                                                        xor dword ptr [ebp+32h], eax
                                                                                                                                        outsb
                                                                                                                                        inc ecx
                                                                                                                                        jno 00007FE55165E82Bh
                                                                                                                                        imul edx, dword ptr [edx+4Ah], 68h
                                                                                                                                        xor eax, 4C537268h
                                                                                                                                        pop edi
                                                                                                                                        jnc 00007FE55165E821h
                                                                                                                                        inc ebx
                                                                                                                                        cmp dword ptr [ecx+43h], esp
                                                                                                                                        inc dx
                                                                                                                                        cmp byte ptr [ebx+4Eh], dl
                                                                                                                                        jns 00007FE55165E83Ch
                                                                                                                                        jbe 00007FE55165E845h

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x12440000x4e.edata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x12450000x1458.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x12490000x1f30.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x11810000x25350.pdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x11c8e000x28f8.bss
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x124b0000x20228.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x117f6200x28.rdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x12454940x458.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x10000x654c800x654e00fda550a734580211cde89d844e8d9eb1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .data0x6560000x6b2100x6b4003fa6098a07bfe4242ed0ddd18ce5f785False0.29819984702797203dBase III DBT, version number 0, next free block index 10, 1st item "go-ansiterm\011v0.0.0-20210617225240-d185dfc1b5a1\011h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8="4.758040089307396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .rdata0x6c20000xabe4700xabe600ad908459379c27637b9c210df794fb4cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                        .pdata0x11810000x253500x25400ade85fddd8c07bbbedd37cfa9f33912eFalse0.39910601929530204data5.9332396503326095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                        .xdata0x11a70000xc600xe00226f09b83b99d40ae214b0e573668d0aFalse0.25892857142857145data3.997443827295808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                        .bss0x11a80000x9b5000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .edata0x12440000x4e0x200c99357cce46ad9740ecb4492761aef5bFalse0.130859375data0.9129839636227094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                        .idata0x12450000x14580x1600195479b7fba0610d83cde5032001a0e2False0.2979403409090909data4.559843882253519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .CRT0x12470000x700x20075d20221d911ae980a5577dcc55cf7fdFalse0.08203125data0.47139462148086453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .tls0x12480000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .rsrc0x12490000x1f300x2000a008a8e066291785e3c7a71cc85ea2b0False0.3314208984375data4.659902276453383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .reloc0x124b0000x202280x204000fd7b5011c0e5ab1baa7c4224d2ccda9False0.21373849321705427data5.444275683309625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                        RT_ICON0x12491d40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                                                                                        RT_ICON0x12492fc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                                                                                        RT_ICON0x12498640x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                                                                                        RT_ICON0x1249b4c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                                                                                        RT_GROUP_ICON0x124a3f40x3edataEnglishUnited States0.8387096774193549
                                                                                                                                        RT_VERSION0x124a4340x4d0data0.2792207792207792
                                                                                                                                        RT_MANIFEST0x124a9040x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                                                                        msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

                                                                                                                                        Exports

                                                                                                                                        NameOrdinalAddress
                                                                                                                                        _cgo_dummy_export10x141242730

                                                                                                                                        Possible Origin

                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                        EnglishUnited States

                                                                                                                                        Network Behavior

                                                                                                                                        Suricata IDS Alerts

                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                        2024-10-02T14:57:53.034351+02002055891ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop)1192.168.2.4511811.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:53.046046+02002055881ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop)1192.168.2.4501011.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:53.058384+02002055883ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop)1192.168.2.4513071.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:53.071375+02002055893ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop)1192.168.2.4642811.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:53.084026+02002055887ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop)1192.168.2.4544791.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:53.096189+02002055885ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop)1192.168.2.4524541.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:53.109771+02002055879ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop)1192.168.2.4591551.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:53.120977+02002055895ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop)1192.168.2.4572131.1.1.153UDP
                                                                                                                                        2024-10-02T14:57:55.706081+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.453478172.67.209.193443TCP
                                                                                                                                        2024-10-02T14:57:55.706081+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.453478172.67.209.193443TCP

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Oct 2, 2024 14:57:53.147927046 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:53.147983074 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.148098946 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:53.151612043 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:53.151639938 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.824489117 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.824564934 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:53.836054087 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:53.836090088 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.836399078 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.887732029 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:53.944667101 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:53.987413883 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.418662071 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.418699026 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.418706894 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.418725014 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.418732882 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.418750048 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.418778896 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.418801069 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.418827057 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.524034977 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.524063110 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.524162054 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.524184942 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.524190903 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.525597095 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.529370070 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.529468060 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.529468060 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.531816959 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.649462938 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.649494886 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.649507999 CEST53475443192.168.2.4104.102.49.254
                                                                                                                                        Oct 2, 2024 14:57:54.649513960 CEST44353475104.102.49.254192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.676923037 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:54.676958084 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.677300930 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:54.677736044 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:54.677750111 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:55.154345036 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:55.154438019 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:55.156183958 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:55.156198978 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:55.156518936 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:55.157852888 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:55.158425093 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:55.158447027 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:55.706115961 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:55.706222057 CEST44353478172.67.209.193192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:55.707143068 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:55.707143068 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:55.707143068 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:56.012732029 CEST53478443192.168.2.4172.67.209.193
                                                                                                                                        Oct 2, 2024 14:57:56.012761116 CEST44353478172.67.209.193192.168.2.4

                                                                                                                                        UDP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Oct 2, 2024 14:57:52.792064905 CEST5357359162.159.36.2192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.034351110 CEST5118153192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.043817997 CEST53511811.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.046046019 CEST5010153192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.054792881 CEST53501011.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.058383942 CEST5130753192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.067482948 CEST53513071.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.071374893 CEST6428153192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.080862999 CEST53642811.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.084026098 CEST5447953192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.093161106 CEST53544791.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.096189022 CEST5245453192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.107214928 CEST53524541.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.109771013 CEST5915553192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.118643045 CEST53591551.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.120976925 CEST5721353192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.131154060 CEST53572131.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.135340929 CEST4915553192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:53.143120050 CEST53491551.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:53.279901981 CEST53635191.1.1.1192.168.2.4
                                                                                                                                        Oct 2, 2024 14:57:54.666655064 CEST5367153192.168.2.41.1.1.1
                                                                                                                                        Oct 2, 2024 14:57:54.676281929 CEST53536711.1.1.1192.168.2.4

                                                                                                                                        DNS Queries

                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                        Oct 2, 2024 14:57:53.034351110 CEST192.168.2.41.1.1.10x730bStandard query (0)tendencctywop.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.046046019 CEST192.168.2.41.1.1.10xf44cStandard query (0)keennylrwmqlw.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.058383942 CEST192.168.2.41.1.1.10xe692Standard query (0)licenseodqwmqn.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.071374893 CEST192.168.2.41.1.1.10x875fStandard query (0)tesecuuweqo.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.084026098 CEST192.168.2.41.1.1.10xcff6Standard query (0)relaxatinownio.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.096189022 CEST192.168.2.41.1.1.10xb04cStandard query (0)reggwardssdqw.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.109771013 CEST192.168.2.41.1.1.10xc9ccStandard query (0)eemmbryequo.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.120976925 CEST192.168.2.41.1.1.10x1f48Standard query (0)tryyudjasudqo.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.135340929 CEST192.168.2.41.1.1.10xe307Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:54.666655064 CEST192.168.2.41.1.1.10x6cd9Standard query (0)gravvitywio.storeA (IP address)IN (0x0001)false

                                                                                                                                        DNS Answers

                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                        Oct 2, 2024 14:57:53.043817997 CEST1.1.1.1192.168.2.40x730bName error (3)tendencctywop.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.054792881 CEST1.1.1.1192.168.2.40xf44cName error (3)keennylrwmqlw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.067482948 CEST1.1.1.1192.168.2.40xe692Name error (3)licenseodqwmqn.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.080862999 CEST1.1.1.1192.168.2.40x875fName error (3)tesecuuweqo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.093161106 CEST1.1.1.1192.168.2.40xcff6Name error (3)relaxatinownio.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.107214928 CEST1.1.1.1192.168.2.40xb04cName error (3)reggwardssdqw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.118643045 CEST1.1.1.1192.168.2.40xc9ccName error (3)eemmbryequo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.131154060 CEST1.1.1.1192.168.2.40x1f48Name error (3)tryyudjasudqo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:53.143120050 CEST1.1.1.1192.168.2.40xe307No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:54.676281929 CEST1.1.1.1192.168.2.40x6cd9No error (0)gravvitywio.store172.67.209.193A (IP address)IN (0x0001)false
                                                                                                                                        Oct 2, 2024 14:57:54.676281929 CEST1.1.1.1192.168.2.40x6cd9No error (0)gravvitywio.store104.21.16.12A (IP address)IN (0x0001)false

                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                        • steamcommunity.com
                                                                                                                                        • gravvitywio.store

                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        0192.168.2.453475104.102.49.2544432472C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-02 12:57:53 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                        Host: steamcommunity.com
                                                                                                                                        2024-10-02 12:57:54 UTC1870INHTTP/1.1 200 OK
                                                                                                                                        Server: nginx
                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                        Cache-Control: no-cache
                                                                                                                                        Date: Wed, 02 Oct 2024 12:57:54 GMT
                                                                                                                                        Content-Length: 34837
                                                                                                                                        Connection: close
                                                                                                                                        Set-Cookie: sessionid=ddc48adf4c26a1daef2f018f; Path=/; Secure; SameSite=None
                                                                                                                                        Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                        2024-10-02 12:57:54 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                        2024-10-02 12:57:54 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                        Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                        2024-10-02 12:57:54 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                        Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                        2024-10-02 12:57:54 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                        Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        1192.168.2.453478172.67.209.1934432472C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-02 12:57:55 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                        Content-Length: 8
                                                                                                                                        Host: gravvitywio.store
                                                                                                                                        2024-10-02 12:57:55 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                        Data Ascii: act=life
                                                                                                                                        2024-10-02 12:57:55 UTC772INHTTP/1.1 200 OK
                                                                                                                                        Date: Wed, 02 Oct 2024 12:57:55 GMT
                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Set-Cookie: PHPSESSID=9cncbpgj2qomhcbc2mbpi698se; expires=Sun, 26 Jan 2025 06:44:34 GMT; Max-Age=9999999; path=/
                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                        Pragma: no-cache
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g125rCvDp5YRfqx%2FbATKd2xX25VbrzizXTZMuoOFL94ATzPBPuVyBv2tjBrjgLXTAivK1GSDnOHMqeRMNvUt087fZNQX6dMcyxxeGdwmgdAtrN2gATw8%2FJlyoBHIoenCoGZCXw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 8cc4dc68285f436d-EWR
                                                                                                                                        2024-10-02 12:57:55 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                        2024-10-02 12:57:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                        Data Ascii: 0


                                                                                                                                        Statistics

                                                                                                                                        CPU Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        Memory Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        High Level Behavior Distribution

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        General

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:08:57:09
                                                                                                                                        Start date:02/10/2024
                                                                                                                                        Path:C:\Users\user\Desktop\N65c8rwdal.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\Desktop\N65c8rwdal.exe"
                                                                                                                                        Imagebase:0x7ff72f4b0000
                                                                                                                                        File size:18'659'064 bytes
                                                                                                                                        MD5 hash:CE773611C449CFA1F292FC805E532D2F
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:Go lang
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2108992608.000000C00080E000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                        • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1685275237.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.2111216784.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:4
                                                                                                                                        Start time:08:57:52
                                                                                                                                        Start date:02/10/2024
                                                                                                                                        Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                        Imagebase:0x860000
                                                                                                                                        File size:231'736 bytes
                                                                                                                                        MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:true

                                                                                                                                        Disassembly

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1.1%
                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                          Signature Coverage:40%
                                                                                                                                          Total number of Nodes:45
                                                                                                                                          Total number of Limit Nodes:6
                                                                                                                                          execution_graph 19042 2dbeb0b 19044 2dbeb15 19042->19044 19043 2dbec0e 19044->19043 19046 2dbe4e0 LdrInitializeThunk 19044->19046 19046->19043 19047 2d907ba 19050 2d90455 19047->19050 19051 2d903a7 19047->19051 19050->19047 19050->19051 19052 2dbe3f0 19050->19052 19061 2dbbab0 19050->19061 19051->19051 19053 2dbe41a RtlReAllocateHeap 19052->19053 19054 2dbe4a3 19052->19054 19055 2dbe40c 19052->19055 19059 2dbe4af 19052->19059 19060 2dbe498 19052->19060 19053->19060 19057 2dbbab0 RtlFreeHeap 19054->19057 19055->19053 19055->19054 19055->19059 19055->19060 19057->19059 19058 2dbbab0 RtlFreeHeap 19058->19060 19059->19058 19060->19050 19062 2dbbac8 19061->19062 19063 2dbbbb5 RtlFreeHeap 19061->19063 19062->19050 19063->19062 19069 2d8ec6f 19074 2d8f960 19069->19074 19072 2d8f960 2 API calls 19073 2d8ec88 19072->19073 19077 2d8f9f0 19074->19077 19075 2dbe3f0 2 API calls 19075->19077 19076 2d8ec77 19076->19072 19077->19075 19077->19076 19077->19077 19078 2d8d1f0 19079 2d8d1f9 19078->19079 19080 2d8d46e ExitProcess 19079->19080 19081 2d8d201 GetInputState 19079->19081 19082 2d8d20e 19081->19082 19083 2d8d469 19082->19083 19084 2d8d216 GetCurrentThreadId GetCurrentProcessId 19082->19084 19091 2dbe3d0 19083->19091 19086 2d8d24d 19084->19086 19086->19083 19090 2d91310 CoInitialize 19086->19090 19094 2dbf8a0 19091->19094 19093 2dbe3d5 FreeLibrary 19093->19080 19095 2dbf8a9 19094->19095 19095->19093 19096 2dbba92 RtlAllocateHeap 19097 2dbee12 19098 2dbee2e 19097->19098 19100 2dbf056 19098->19100 19104 2dbe4e0 LdrInitializeThunk 19098->19104 19103 2dbe4e0 LdrInitializeThunk 19100->19103 19102 2dbf065 19103->19102 19104->19098

                                                                                                                                          Executed Functions

                                                                                                                                          Function 02D900A0 Relevance: 12.9, Strings: 10, Instructions: 355COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 2d900a0-2d9030c 1 2d9035a-2d90374 0->1 2 2d9030e-2d9030f 0->2 4 2d90377-2d9037e 1->4 3 2d90310-2d90358 2->3 3->1 3->3 5 2d903b9-2d903e0 4->5 6 2d90385-2d9038e 4->6 7 2d9042b-2d90448 5->7 8 2d903e2 5->8 6->5 11 2d9078b-2d907a3 7->11 12 2d907ed-2d9080f 7->12 13 2d9044f 7->13 9 2d903f0-2d90429 8->9 9->7 9->9 16 2d9046e 11->16 22 2d907d9 11->22 23 2d907e0-2d907e7 11->23 24 2d90480-2d90485 11->24 25 2d90490-2d90773 11->25 26 2d90474 11->26 14 2d90811 12->14 15 2d90862-2d90894 12->15 13->16 17 2d90820-2d90860 14->17 18 2d908e6-2d9091e 15->18 19 2d90896 15->19 17->15 17->17 30 2d90920-2d90960 18->30 31 2d90962-2d90994 18->31 21 2d908a0-2d908e4 19->21 21->18 21->21 22->23 23->12 24->25 25->11 26->24 30->30 30->31 33 2d909e6-2d909f9 31->33 34 2d90996 31->34 36 2d909fc 33->36 35 2d909a0-2d909e4 34->35 35->33 35->35 36->36
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: +w#u$-g.e$-{(y$W{$a#B!$c;j9$j?n=$vA$|/s-$$&!
                                                                                                                                          • API String ID: 0-3312696060
                                                                                                                                          • Opcode ID: 5104a3ae996edee0b4129e7a1376ba17967b2f4f85549dda70ad093e6264be45
                                                                                                                                          • Instruction ID: 2ef05361e83f4bfb17d176e29463a12dd22bb818a9df9ea8766a1783fdd87d74
                                                                                                                                          • Opcode Fuzzy Hash: 5104a3ae996edee0b4129e7a1376ba17967b2f4f85549dda70ad093e6264be45
                                                                                                                                          • Instruction Fuzzy Hash: 40E13EB460C3828BE328DF14D590B6FBBF2ABD5700F248A1CE6C90B344D7719805CB96
                                                                                                                                          Function 02D8D1F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 193threadCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 37 2d8d1f0-2d8d1fb call 2dbd7e0 40 2d8d46e-2d8d470 ExitProcess 37->40 41 2d8d201-2d8d210 GetInputState call 2db5250 37->41 44 2d8d469 call 2dbe3d0 41->44 45 2d8d216-2d8d24b GetCurrentThreadId GetCurrentProcessId 41->45 44->40 46 2d8d289-2d8d2ab 45->46 47 2d8d24d-2d8d24f 45->47 50 2d8d2ad-2d8d2af 46->50 51 2d8d2f6-2d8d2f8 46->51 49 2d8d250-2d8d287 47->49 49->46 49->49 52 2d8d2b0-2d8d2f4 50->52 53 2d8d2fe-2d8d31f 51->53 54 2d8d3ef-2d8d40c 51->54 52->51 52->52 55 2d8d321 53->55 56 2d8d373-2d8d395 53->56 57 2d8d40e-2d8d40f 54->57 58 2d8d456 call 2d8e4d0 54->58 61 2d8d330-2d8d371 55->61 56->54 62 2d8d397 56->62 59 2d8d410-2d8d454 57->59 63 2d8d45b-2d8d45d 58->63 59->58 59->59 61->56 61->61 64 2d8d3a0-2d8d3ed 62->64 63->44 65 2d8d45f-2d8d464 call 2d91310 call 2d90090 63->65 64->54 64->64 65->44
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CurrentProcess$ExitInputStateThread
                                                                                                                                          • String ID: IHON$MLCB
                                                                                                                                          • API String ID: 1029096631-2389202908
                                                                                                                                          • Opcode ID: f92aa6fce77104fc3c6ff43867925d966c8b0ab2ffc36324dbf98de3bdb0f4d7
                                                                                                                                          • Instruction ID: 9f1dd646da10798c72c3e0f2a5f850059c3266a9a5bbc8d8c226b8639729b5a4
                                                                                                                                          • Opcode Fuzzy Hash: f92aa6fce77104fc3c6ff43867925d966c8b0ab2ffc36324dbf98de3bdb0f4d7
                                                                                                                                          • Instruction Fuzzy Hash: 756145B561C2419BD305EF28D490A1EBBE2EFA9704F28892CE0C9C7391D73ADC51CB56
                                                                                                                                          Function 02D8F960 Relevance: 7.0, Strings: 5, Instructions: 732COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 69 2d8f960-2d8f9e8 70 2d8f9f0-2d8f9f9 69->70 70->70 71 2d8f9fb-2d8fa0e 70->71 73 2d8fa1c-2d8fc56 71->73 74 2d8fa15-2d8fa17 71->74 76 2d8fc58 73->76 77 2d8fcb1-2d8fcd3 73->77 75 2d9004f-2d90056 74->75 78 2d8fc60-2d8fcaf 76->78 80 2d8ff98-2d8ffc2 77->80 81 2d9003b-2d9004c 77->81 82 2d8fcda 77->82 83 2d9007b-2d90082 77->83 84 2d9005e-2d90065 77->84 85 2d8fe11-2d8fe22 77->85 86 2d8fe31-2d8fe45 77->86 87 2d90013-2d9001c 77->87 88 2d8fff3-2d9000c call 2dbe3f0 77->88 89 2d8fdf4-2d8fe0a 77->89 90 2d90074 77->90 91 2d90057 77->91 92 2d90029-2d9002e 77->92 93 2d8ff68-2d8ff7c 77->93 94 2d8fe29-2d8fe2f 77->94 95 2d8ffc9 77->95 96 2d9006b 77->96 97 2d8ff2e-2d8ff34 77->97 98 2d8fd60-2d8fdee call 2d8c950 77->98 99 2d8ff41-2d8ff61 77->99 100 2d90023-2d90026 77->100 101 2d8fce3-2d8fd55 call 2d8c950 77->101 102 2d8ff83-2d8ff96 77->102 78->77 78->78 80->81 80->83 80->84 80->90 80->91 80->95 80->96 80->100 107 2d90385-2d9038e 80->107 81->75 82->101 83->107 84->96 85->80 85->81 85->83 85->84 85->86 85->87 85->88 85->90 85->91 85->92 85->93 85->94 85->95 85->96 85->97 85->99 85->100 85->102 109 2d8fea5-2d8fea8 86->109 110 2d8fe47 86->110 87->81 87->83 87->84 87->90 87->91 87->95 87->96 87->100 106 2d903b9-2d903e0 87->106 87->107 88->80 88->81 88->83 88->84 88->87 88->90 88->91 88->95 88->96 88->100 88->106 88->107 89->80 89->81 89->83 89->84 89->85 89->86 89->87 89->88 89->90 89->91 89->92 89->93 89->94 89->95 89->96 89->97 89->99 89->100 89->102 90->83 91->84 114 2d90035 92->114 93->80 93->81 93->83 93->84 93->87 93->88 93->90 93->91 93->92 93->95 93->96 93->100 93->102 108 2d8feaa-2d8fece 94->108 103 2d8ffcb-2d8ffcf 95->103 96->90 97->99 98->89 99->80 99->81 99->83 99->84 99->87 99->88 99->90 99->91 99->92 99->93 99->95 99->96 99->100 99->102 100->92 101->98 102->103 126 2d8ffd8-2d8ffec 103->126 120 2d9042b-2d90448 106->120 121 2d903e2 106->121 107->106 116 2d8ff0f-2d8ff27 108->116 117 2d8fed0-2d8ff0d 108->117 109->108 115 2d8fe50-2d8fea3 110->115 114->81 115->109 115->115 116->80 116->81 116->83 116->84 116->87 116->88 116->90 116->91 116->92 116->93 116->95 116->96 116->97 116->99 116->100 116->102 117->116 117->117 132 2d9078b-2d907a3 120->132 133 2d907ed-2d9080f 120->133 134 2d9044f 120->134 127 2d903f0-2d90429 121->127 126->80 126->81 126->83 126->84 126->87 126->88 126->90 126->91 126->95 126->96 126->100 126->106 126->107 127->120 127->127 137 2d9046e 132->137 142 2d907d9 132->142 143 2d907e0-2d907e7 132->143 144 2d90480-2d90485 132->144 145 2d90490-2d90773 132->145 146 2d90474 132->146 135 2d90811 133->135 136 2d90862-2d90894 133->136 134->137 139 2d90820-2d90860 135->139 140 2d908e6-2d9091e 136->140 141 2d90896 136->141 139->136 139->139 151 2d90920-2d90960 140->151 152 2d90962-2d90994 140->152 147 2d908a0-2d908e4 141->147 142->143 143->133 144->145 145->132 146->144 147->140 147->147 151->151 151->152 154 2d909e6-2d909f9 152->154 155 2d90996 152->155 157 2d909fc 154->157 156 2d909a0-2d909e4 155->156 156->154 156->156 157->157
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $#$5{1y$:2$;$$&!
                                                                                                                                          • API String ID: 0-3781735934
                                                                                                                                          • Opcode ID: e531a4019da60bda14134a87ad835054d78a82053b2c8cdd019ae1d77464e973
                                                                                                                                          • Instruction ID: 0d27b0f773523d35ffe70b3047a1d56341cdcdb0e885cfd6875c631e5383858c
                                                                                                                                          • Opcode Fuzzy Hash: e531a4019da60bda14134a87ad835054d78a82053b2c8cdd019ae1d77464e973
                                                                                                                                          • Instruction Fuzzy Hash: 6E5255B5604B028FD324CF25C490B5BBBF2FB85714F248A1CE5AA8BB94D774A815CF81
                                                                                                                                          Function 02DBE4E0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 234 2dbe4e0-2dbe512 LdrInitializeThunk
                                                                                                                                          APIs
                                                                                                                                          • LdrInitializeThunk.NTDLL(02D92619,?,00000001,?), ref: 02DBE50E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                          • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                          • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                          • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                          Function 02D907BA Relevance: .3, Instructions: 279COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 300 2d907ba-2d907c1 301 2d90558-2d90561 300->301 302 2d906dd-2d906ff 300->302 303 2d906b0-2d906bf 300->303 304 2d904b0-2d904df 300->304 305 2d90495-2d904a7 300->305 306 2d90455-2d90467 300->306 307 2d90696-2d906a5 300->307 308 2d907c8-2d907cc 300->308 309 2d90568-2d905d6 300->309 310 2d9074b-2d90765 300->310 311 2d9072a-2d90744 300->311 312 2d9076c-2d90773 300->312 313 2d9052f-2d9053a 300->313 314 2d9050e-2d90528 call 2dbe3f0 300->314 315 2d90700-2d9071a 300->315 316 2d906c5-2d906d0 300->316 317 2d904e6 300->317 301->302 301->303 301->304 301->305 301->306 301->307 301->309 301->310 301->311 301->312 301->313 301->314 301->315 301->316 301->317 302->315 303->316 304->306 304->317 330 2d904e8-2d90507 305->330 322 2d907d9 306->322 323 2d9078b-2d907a3 306->323 324 2d907aa-2d907b1 306->324 325 2d9046e 306->325 326 2d90490 306->326 327 2d90480-2d90485 306->327 328 2d907e0-2d9080f 306->328 329 2d90474 306->329 307->303 308->322 320 2d905d8 309->320 321 2d90623-2d9062f 309->321 310->304 310->305 310->306 310->312 310->313 310->314 310->317 311->304 311->305 311->306 311->310 311->312 311->313 311->314 311->317 312->323 313->306 313->317 319 2d90541-2d90551 call 2dbbab0 313->319 314->304 314->306 314->313 314->317 332 2d90724 315->332 316->302 317->330 319->301 345 2d903a9-2d903b8 319->345 346 2d903a7 319->346 336 2d905e0-2d90621 320->336 338 2d90651-2d90660 321->338 339 2d90631-2d90635 321->339 322->328 323->322 323->325 323->326 323->327 323->328 323->329 324->300 324->319 337 2d9077d-2d90784 324->337 326->312 327->326 356 2d90811 328->356 357 2d90862-2d90894 328->357 329->327 330->304 330->306 330->313 330->314 330->317 332->311 336->321 336->336 337->323 337->345 337->346 349 2d90662-2d90664 338->349 350 2d90685-2d9068a 338->350 347 2d90640-2d9064f 339->347 346->345 347->338 347->347 353 2d90670-2d90681 349->353 350->307 353->353 354 2d90683 353->354 354->350 358 2d90820-2d90860 356->358 359 2d908e6-2d9091e 357->359 360 2d90896 357->360 358->357 358->358 363 2d90920-2d90960 359->363 364 2d90962-2d90994 359->364 361 2d908a0-2d908e4 360->361 361->359 361->361 363->363 363->364 365 2d909e6-2d909f9 364->365 366 2d90996 364->366 368 2d909fc 365->368 367 2d909a0-2d909e4 366->367 367->365 367->367 368->368
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8d0aa4c74aa8be4971246c9c64a766133e8a50a933820dc33610fe3f77428bfc
                                                                                                                                          • Instruction ID: d2f8dddef48f23c8acfea0fd58943cd7ef071337d3a35938888ef91c3fb05695
                                                                                                                                          • Opcode Fuzzy Hash: 8d0aa4c74aa8be4971246c9c64a766133e8a50a933820dc33610fe3f77428bfc
                                                                                                                                          • Instruction Fuzzy Hash: 749176B1948302EFE7108FA4E89072AB7E8FB89715F245D6CEA8986340D735DC61CF52
                                                                                                                                          Function 02DBF0CD Relevance: .1, Instructions: 81COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 369 2dbf0cd-2dbf0fa 370 2dbf0fc-2dbf0ff 369->370 371 2dbf140-2dbf147 369->371 372 2dbf100-2dbf13e 370->372 373 2dbf149-2dbf155 371->373 374 2dbf194-2dbf1aa 371->374 372->371 372->372 376 2dbf160-2dbf167 373->376 377 2dbf169-2dbf16c 376->377 378 2dbf170-2dbf176 376->378 377->376 379 2dbf16e 377->379 378->374 380 2dbf178-2dbf18c call 2dbe4e0 378->380 379->374 382 2dbf191 380->382 382->374
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9b9f71a1a13b83017f6f10da384488197e30091f2d9dab209f66f5abd2a422e0
                                                                                                                                          • Instruction ID: ab672d9e27a8fc2e3d916c848ed86aae7ff212ea1ee4054ee406299f32a4d7aa
                                                                                                                                          • Opcode Fuzzy Hash: 9b9f71a1a13b83017f6f10da384488197e30091f2d9dab209f66f5abd2a422e0
                                                                                                                                          • Instruction Fuzzy Hash: 0C2177746482428FD71ADF18C8A0A6AB7E6EF95348F148E1CE1C28B381E735E815CB52
                                                                                                                                          Function 02DBBAB0 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 204 2dbbab0-2dbbac1 205 2dbbbc8-2dbbbce 204->205 206 2dbbac8 204->206 207 2dbbb46-2dbbb53 204->207 208 2dbbad6-2dbbae3 204->208 209 2dbbbb5-2dbbbc2 RtlFreeHeap 204->209 206->208 207->208 210 2dbbb55 207->210 211 2dbbb40 208->211 212 2dbbae5 208->212 209->205 213 2dbbb60-2dbbbae 210->213 211->207 214 2dbbaf0-2dbbb3e 212->214 213->213 215 2dbbbb0 213->215 214->211 214->214 215->208
                                                                                                                                          APIs
                                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000,?), ref: 02DBBBC2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeHeap
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                          • Opcode ID: 48c207c7a1e12b625f66bb5f429d6e07d2d5d237e71681357a6c81b2e2cc5d50
                                                                                                                                          • Instruction ID: eeca0c5921c269cad0a2775d5c2c8394c8e9c4c7626530fe3998ec881785a5ef
                                                                                                                                          • Opcode Fuzzy Hash: 48c207c7a1e12b625f66bb5f429d6e07d2d5d237e71681357a6c81b2e2cc5d50
                                                                                                                                          • Instruction Fuzzy Hash: 65318F7560C281CBC709DF18D4A096EF7A2EFD5709F258A2DD6C6473A5CB319C22CB46
                                                                                                                                          Function 02DBE3F0 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 216 2dbe3f0-2dbe405 217 2dbe41a-2dbe434 216->217 218 2dbe4a9-2dbe4af call 2dbbab0 216->218 219 2dbe498-2dbe4a1 call 2dbba10 216->219 220 2dbe40c-2dbe413 216->220 221 2dbe4a3 216->221 222 2dbe4b2-2dbe4b8 call 2dbbab0 216->222 223 2dbe4c1 216->223 224 2dbe482-2dbe496 RtlReAllocateHeap 217->224 225 2dbe436 217->225 218->222 226 2dbe4c3-2dbe4c9 219->226 220->217 220->218 220->221 220->222 220->223 221->218 222->223 223->226 224->226 230 2dbe440-2dbe480 225->230 230->224 230->230
                                                                                                                                          APIs
                                                                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 02DBE490
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                          • Opcode ID: 463cf23422cec6e5a74d4e5306245a2cbeef62552eb89aeec40c6c7bb59f5a49
                                                                                                                                          • Instruction ID: b0904c4aeb2848b3ac498d91a73c61d51ebb19eed83516113f1d71d6b9c7c577
                                                                                                                                          • Opcode Fuzzy Hash: 463cf23422cec6e5a74d4e5306245a2cbeef62552eb89aeec40c6c7bb59f5a49
                                                                                                                                          • Instruction Fuzzy Hash: 8F21F371A0D201CBD309AB24D9B196BBBE1EF8A308F55896ED5C753340D631DC21CB93
                                                                                                                                          Function 02DBBA92 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 235 2dbba92-2dbbaa2 RtlAllocateHeap
                                                                                                                                          APIs
                                                                                                                                          • RtlAllocateHeap.NTDLL(?,00000000), ref: 02DBBA98
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                          • Opcode ID: 65075ef127520776f8ab7944d9ebd55e432129c4a018de4704164eabbd807e97
                                                                                                                                          • Instruction ID: f2afdb637fe3754c0028ac4864800909b3cb301408771ea813ef5dd1edaec055
                                                                                                                                          • Opcode Fuzzy Hash: 65075ef127520776f8ab7944d9ebd55e432129c4a018de4704164eabbd807e97
                                                                                                                                          • Instruction Fuzzy Hash: 31B012704400005BEA002B08BC05B603715EB00205FA00480F404881D2C1524CB39588

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 02D9B35A Relevance: 39.1, Strings: 30, Instructions: 1552COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: '&%$&GyY$($(/.-$("C$,321$0765$3K>M$4;:9$8?>=$<=>?$DKJI$G3F5$LMNg$LSRQ$MNOP$N5S3$O7JI$TX$Y^YX$_YPh$`abc$d9K7$dkji$h {$honm$pqrs$pwvu$tuv?$z
                                                                                                                                          • API String ID: 2994545307-1963214830
                                                                                                                                          • Opcode ID: 8d33842faf55ef8f867df75a8954ac2d86efaa94fda5230ec0a1931720f8f4f6
                                                                                                                                          • Instruction ID: d702b0a279bb758dc055c6fd05b8ea89a816029bb49b2db111a14f8f9a111af2
                                                                                                                                          • Opcode Fuzzy Hash: 8d33842faf55ef8f867df75a8954ac2d86efaa94fda5230ec0a1931720f8f4f6
                                                                                                                                          • Instruction Fuzzy Hash: 81D288B55083828BDB34DF18D880BABBBE2EFC5348F15492DE5998B351DB369841CB52
                                                                                                                                          Function 02DAC500 Relevance: 27.7, APIs: 2, Strings: 12, Instructions: 3237COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ;/*$$8r,$(>to$K^\N$MNOP$Qbio$Z(:$]jbg$eeOt$iJIQ$nLv($wq
                                                                                                                                          • API String ID: 0-1296844701
                                                                                                                                          • Opcode ID: 0c582d0713ee97689aa13eb2b58245670045cdca37cf892d77b75686746070b3
                                                                                                                                          • Instruction ID: b0167d1b9ef9adb7ba74bcf05786fff43e0f670b15b4cf2948e538534d1991f5
                                                                                                                                          • Opcode Fuzzy Hash: 0c582d0713ee97689aa13eb2b58245670045cdca37cf892d77b75686746070b3
                                                                                                                                          • Instruction Fuzzy Hash: 9C437B74505B418BE325CF39C4A0BA7BBE2BF5A305F18896DD4EB87786C735A805CB50
                                                                                                                                          Function 02DB2C80 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 96clipboardCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                          • String ID: H$I$V$Y$[$\$^
                                                                                                                                          • API String ID: 2832541153-913593125
                                                                                                                                          • Opcode ID: f44ecaa0e023e3ffcb2b5264af4bcfcf56aafa564afa170f2203137a4c92e136
                                                                                                                                          • Instruction ID: f968b2454469f5df2546eb744a098bf44d7ef28e504c11a122723c1368666ed4
                                                                                                                                          • Opcode Fuzzy Hash: f44ecaa0e023e3ffcb2b5264af4bcfcf56aafa564afa170f2203137a4c92e136
                                                                                                                                          • Instruction Fuzzy Hash: 4341497150C3828ED301EF78945835FBFE0AB91314F444D6DE8E986382D7B99958CBA3
                                                                                                                                          Function 02D91BDF Relevance: 21.7, APIs: 1, Strings: 13, Instructions: 663COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Uninitialize
                                                                                                                                          • String ID: !$+2-k$4`[b$D$ITFT$KPC<$LmEs$PqEw$X$_ZJ~$f$t}rc$vQeW
                                                                                                                                          • API String ID: 3861434553-3946415263
                                                                                                                                          • Opcode ID: 8178a2422542f34d01a227d19a0c10721ef80cfcdb76a94007ec4193e29813da
                                                                                                                                          • Instruction ID: 64b75ab5a0f388c6e0cc66133734c68bd5b0e76b2b521456f8120cf4e0bf53c3
                                                                                                                                          • Opcode Fuzzy Hash: 8178a2422542f34d01a227d19a0c10721ef80cfcdb76a94007ec4193e29813da
                                                                                                                                          • Instruction Fuzzy Hash: A14279B01093819BD728DF15D4A4B6BBBE2EFCA708F144A5CE4CA1B391C7749905CF96
                                                                                                                                          Function 02DA7FB0 Relevance: 20.8, Strings: 16, Instructions: 755COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: )I'K$/"7!$0E#G$4`[b$5*#7$9240$J=[?$LM$MNOP$Y9V;$b1w3$e!~#$h5`7$n)~+$w%i'${-o/
                                                                                                                                          • API String ID: 0-3209693757
                                                                                                                                          • Opcode ID: d74d45964df8e0bb36f13b2c3aabd4f928a1fbb18d8982d0399275ed06c69060
                                                                                                                                          • Instruction ID: 55b672d314c2495dc9e22c73550b2d78fdfd35e72e42d80b5d78a9308ba4b798
                                                                                                                                          • Opcode Fuzzy Hash: d74d45964df8e0bb36f13b2c3aabd4f928a1fbb18d8982d0399275ed06c69060
                                                                                                                                          • Instruction Fuzzy Hash: 9742E0B1904386CFDB14DF68D8A0AAEBBB2FB85304F144869E485A7381D734DD55CFA2
                                                                                                                                          Function 02DA7750 Relevance: 20.7, Strings: 16, Instructions: 719COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: )I'K$/"7!$0E#G$4`[b$5*#7$9240$J=[?$LM$MNOP$Y9V;$b1w3$e!~#$h5`7$n)~+$w%i'${-o/
                                                                                                                                          • API String ID: 0-3209693757
                                                                                                                                          • Opcode ID: 419d607dd5ac9c24ae7733db83991db32408bb708419a4ddee4b72171d7ae5f3
                                                                                                                                          • Instruction ID: 9d746e91e75e74e206b314683d09fa577f16fa35a60d072ce7c5e9049b914512
                                                                                                                                          • Opcode Fuzzy Hash: 419d607dd5ac9c24ae7733db83991db32408bb708419a4ddee4b72171d7ae5f3
                                                                                                                                          • Instruction Fuzzy Hash: 4642D0B1904286CFDB14DF68D4A0AAEBBB2FB85304F14486DE485A7381D734DD55CFA2
                                                                                                                                          Function 02DA7A67 Relevance: 20.7, Strings: 16, Instructions: 681COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: )I'K$/"7!$0E#G$4`[b$5*#7$9240$J=[?$LM$MNOP$Y9V;$b1w3$e!~#$h5`7$n)~+$w%i'${-o/
                                                                                                                                          • API String ID: 0-3209693757
                                                                                                                                          • Opcode ID: 5ee237629085373bcc1ef8920a000410bae7cbb848f8101ced3dd0e33fde3608
                                                                                                                                          • Instruction ID: e3ce7cc103a0c6faee6b087adcaae24fa6f552905bfe056ec3e72a6098d2e9a8
                                                                                                                                          • Opcode Fuzzy Hash: 5ee237629085373bcc1ef8920a000410bae7cbb848f8101ced3dd0e33fde3608
                                                                                                                                          • Instruction Fuzzy Hash: F532AEB1908296CFEB14CF68D4A0AAEB7B2EF85304F14886DE4859B381D734DD55CF62
                                                                                                                                          Function 02D9FCFB Relevance: 20.4, Strings: 16, Instructions: 374COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: A$D$D$E$E$H$Q$U$V$Y$[$\$]$r$u$w
                                                                                                                                          • API String ID: 0-375660955
                                                                                                                                          • Opcode ID: 6ed15edbfc312857bec0d078c20d980f751ff1e5d3ad9c638d3fcb6788986167
                                                                                                                                          • Instruction ID: c327138925bff408602bac48293a2bf633766414398bd93abb6ac96c8f8e02ba
                                                                                                                                          • Opcode Fuzzy Hash: 6ed15edbfc312857bec0d078c20d980f751ff1e5d3ad9c638d3fcb6788986167
                                                                                                                                          • Instruction Fuzzy Hash: 8312E761508BC28ED3268F3C8888746FF916B27224F088BD9E4E94F7D7C265D595C7A2
                                                                                                                                          Function 02DA4B80 Relevance: 15.7, Strings: 12, Instructions: 699COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: "0$'0$11$4:$=?$>3$@A$X\$}z$=?$UW$Y[
                                                                                                                                          • API String ID: 0-260730608
                                                                                                                                          • Opcode ID: e802b75904a56f58657d5b2ca3ec2d0d648873bb97e81d1c19bc840eca83716d
                                                                                                                                          • Instruction ID: cc9f4d0f0d7d2952b93bf68d6c3b7c4f387651783dad8f0e9c00501bd1a5b7ae
                                                                                                                                          • Opcode Fuzzy Hash: e802b75904a56f58657d5b2ca3ec2d0d648873bb97e81d1c19bc840eca83716d
                                                                                                                                          • Instruction Fuzzy Hash: C472FAB464C385CAE374CF15D894B9EBBE1FB85304F608A2DE5E99B241CB748485CF92
                                                                                                                                          Function 02D91353 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 572COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 02D91814
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DirectorySystem
                                                                                                                                          • String ID: `a$bpwv$btw~$ojz.$ojz.$us$yw
                                                                                                                                          • API String ID: 2188284642-4243563423
                                                                                                                                          • Opcode ID: 3212587a1717708c62cf3422e0616dae908aeca955d3bcaa1f86a074bd59e7ac
                                                                                                                                          • Instruction ID: 35f73c5371e9e4ba62e9dc0bec6b35832078c72eb27ad57933ea66188cd9b025
                                                                                                                                          • Opcode Fuzzy Hash: 3212587a1717708c62cf3422e0616dae908aeca955d3bcaa1f86a074bd59e7ac
                                                                                                                                          • Instruction Fuzzy Hash: BF12A9B550A3819BE730CF25D984B9BBBE2EF8A308F180A6CE4CD57341D7358905CB92
                                                                                                                                          Function 02DA4D50 Relevance: 14.4, Strings: 11, Instructions: 648COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: "0$'0$11$4:$=?$>3$@A$}z$=?$UW$Y[
                                                                                                                                          • API String ID: 0-2885154292
                                                                                                                                          • Opcode ID: d032ab893732c58456bdf5ce0d93c1712c8823ce0e49cbb4b1dee75473efb0b5
                                                                                                                                          • Instruction ID: e757a4460caacd7bcb465ab1cac7468e4bb0257070c181917b6fa8ec5bcda1cc
                                                                                                                                          • Opcode Fuzzy Hash: d032ab893732c58456bdf5ce0d93c1712c8823ce0e49cbb4b1dee75473efb0b5
                                                                                                                                          • Instruction Fuzzy Hash: 0572FAB464C381CAE374CF25D894B9EBBE1FB85344F608A2DD5D99B245CB708485CF92
                                                                                                                                          Function 02DB80A7 Relevance: 12.4, APIs: 8, Instructions: 446memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 02DB8101
                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 02DB81B9
                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 02DB8222
                                                                                                                                          • SysStringLen.OLEAUT32(6BFE6909), ref: 02DB82E6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$Alloc$InitVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3520221836-0
                                                                                                                                          • Opcode ID: 90d807b8518cc721a9ac57011f0acecadb95a60c45b9a76e116d4529ba101bf6
                                                                                                                                          • Instruction ID: 5cbc58292693f08481e0bea26e090016add3a3e9acabf4e2bba6250d015973b9
                                                                                                                                          • Opcode Fuzzy Hash: 90d807b8518cc721a9ac57011f0acecadb95a60c45b9a76e116d4529ba101bf6
                                                                                                                                          • Instruction Fuzzy Hash: 7CF1AA75604A02CFD725CF28D891B66BBF6FF89301F28896CD5868B791D735E851CB80
                                                                                                                                          Function 02D9A623 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 381comCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CoCreateInstance.OLE32(02DC4AF0,00000000,00000004,02DC4AE0,00000000), ref: 02D9A8AA
                                                                                                                                          • CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000006,00000003,00000000,00000040), ref: 02D9A8D5
                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 02D9AB22
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: BlanketCreateFreeInstanceProxyString
                                                                                                                                          • String ID: ?]1$<$<KJM
                                                                                                                                          • API String ID: 2425965127-1263746203
                                                                                                                                          • Opcode ID: 26d4abaa7a485d6cffff63a09b1518d114d548ad9ce699ceabd7ca1965dde6e8
                                                                                                                                          • Instruction ID: edb0a9a6f3cb3882baf9c2d15732b3852fd30656fdecf918da2e4cb67ae8a78d
                                                                                                                                          • Opcode Fuzzy Hash: 26d4abaa7a485d6cffff63a09b1518d114d548ad9ce699ceabd7ca1965dde6e8
                                                                                                                                          • Instruction Fuzzy Hash: D7D1D1B25083428FCB24CF18C491BABB7F1EF85314F15496DE59A8B391D735AC45CB92
                                                                                                                                          Function 02D81000 Relevance: 10.6, Strings: 7, Instructions: 1821COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
                                                                                                                                          • API String ID: 0-2517803157
                                                                                                                                          • Opcode ID: aa8b68ac70380eab4856fb6f9e8c59af3684f7b6419931ae1004681250c749d2
                                                                                                                                          • Instruction ID: fd4c580ffaf9a99224210d2600328700f66158b8ebb42eba1fb6ae91de3fc8e9
                                                                                                                                          • Opcode Fuzzy Hash: aa8b68ac70380eab4856fb6f9e8c59af3684f7b6419931ae1004681250c749d2
                                                                                                                                          • Instruction Fuzzy Hash: 90D21571A083918FC714DF28C48476ABBE2AFC9714F188A6DE8D997391D334DD49CB92
                                                                                                                                          Function 02D90A10 Relevance: 8.0, Strings: 6, Instructions: 489COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @qRs$Du@w$QaSc$UmXo$Xi\k$\_
                                                                                                                                          • API String ID: 0-2210773361
                                                                                                                                          • Opcode ID: b071c1bf7ee0c95ea2b5ed7bd7505b50645d4d8f8c0f35fb4549836b05f5c8c9
                                                                                                                                          • Instruction ID: 727477f4c5ef6dc71ca350e0f4a131d1b12211ccff1e71b89b6e2ed3c0904973
                                                                                                                                          • Opcode Fuzzy Hash: b071c1bf7ee0c95ea2b5ed7bd7505b50645d4d8f8c0f35fb4549836b05f5c8c9
                                                                                                                                          • Instruction Fuzzy Hash: DA0243B42183829BE328DF15D890B6BBBF5FB85700F248A1DE6C98B350C7359815CB56
                                                                                                                                          Function 02D812E7 Relevance: 7.1, Strings: 5, Instructions: 896COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 0$0$0$@$i
                                                                                                                                          • API String ID: 0-3124195287
                                                                                                                                          • Opcode ID: efa0ccf2e2ce0bc922fde5cac790f3a8762356710bc423ff1bf7e4f52436b61f
                                                                                                                                          • Instruction ID: 31e420140c41970e284a9b0f29cc7049664d09df22f895f1e7c47d0a8d325224
                                                                                                                                          • Opcode Fuzzy Hash: efa0ccf2e2ce0bc922fde5cac790f3a8762356710bc423ff1bf7e4f52436b61f
                                                                                                                                          • Instruction Fuzzy Hash: CF72C071A0C3818FD318EE28C49872ABBE1ABC9704F14896DECD997395D774DD49CB82
                                                                                                                                          Function 02D9ADCF Relevance: 6.6, Strings: 5, Instructions: 349COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: N5S3$TX$Y^YX$_YPh$d9K7
                                                                                                                                          • API String ID: 0-3179847056
                                                                                                                                          • Opcode ID: e9c5e9d41bde64b0369641ebe085098ee92518a4489060c504f5f4909b3969f6
                                                                                                                                          • Instruction ID: b0053423b370b8b980577789f94f60bcb329bd00a9d9479a3776512f39e25e35
                                                                                                                                          • Opcode Fuzzy Hash: e9c5e9d41bde64b0369641ebe085098ee92518a4489060c504f5f4909b3969f6
                                                                                                                                          • Instruction Fuzzy Hash: 04C1ADB6A08342CBCB25DF18D480AABB7E6EFC5354F15482DE8998B351EB319C51CB52
                                                                                                                                          Function 02D9D9BE Relevance: 6.3, Strings: 5, Instructions: 86COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: UWVZ$]sea$m`mx$m`mx$upuj
                                                                                                                                          • API String ID: 0-834475718
                                                                                                                                          • Opcode ID: 689d1403a906b841e6f5dbc1efc5fd2848d8277079f0601a85e6403b5e8e85aa
                                                                                                                                          • Instruction ID: f817f507f38d427d4b815657e4d4dff0b2edaa90d7d03e563e517606b1ccd6f4
                                                                                                                                          • Opcode Fuzzy Hash: 689d1403a906b841e6f5dbc1efc5fd2848d8277079f0601a85e6403b5e8e85aa
                                                                                                                                          • Instruction Fuzzy Hash: A8317AB09082A5CBDF09CF51D1D176ABFB1AF16210F68598DCC951F38BC3358855CBA8
                                                                                                                                          Function 02D9DAD1 Relevance: 5.6, Strings: 4, Instructions: 637COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: =EFG$O9H;$C"M${z}
                                                                                                                                          • API String ID: 0-2409340280
                                                                                                                                          • Opcode ID: ba091ad04a8e8a7a6a2ea8f05441250dedd174b4d1fa5a9da5fe5168a6796dac
                                                                                                                                          • Instruction ID: e43255b06ba690a5bb98d6c0f8d2df00bed6f003629b683128a75fce242807c9
                                                                                                                                          • Opcode Fuzzy Hash: ba091ad04a8e8a7a6a2ea8f05441250dedd174b4d1fa5a9da5fe5168a6796dac
                                                                                                                                          • Instruction Fuzzy Hash: AA32E2B5900716CFCF14CFA4C880AAEBBB2FF45314F148A5CE466AB795D734A915CB90
                                                                                                                                          Function 02D9332C Relevance: 5.6, Strings: 4, Instructions: 632COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: L|EL$fc{i$hXi`$j
                                                                                                                                          • API String ID: 0-1710704399
                                                                                                                                          • Opcode ID: 42e8da41f94567cdedb857f38f66fab6f9500f6d02349010b805585e2704c613
                                                                                                                                          • Instruction ID: 2dbe2eed2200b69069968a6d376d13b985b666cd28d9540ec65b239ad51dcf30
                                                                                                                                          • Opcode Fuzzy Hash: 42e8da41f94567cdedb857f38f66fab6f9500f6d02349010b805585e2704c613
                                                                                                                                          • Instruction Fuzzy Hash: FA22ACB15083818FDB15DF24D89076ABBE6EF86304F1849ACE4CA87392D736DD15CB62
                                                                                                                                          Function 02DA28F0 Relevance: 5.5, Strings: 4, Instructions: 491COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 01$4`[b$LMBC$l9e7
                                                                                                                                          • API String ID: 0-216049701
                                                                                                                                          • Opcode ID: bcf46afd355db0f81d32af0fc00ae0f1f52d8a7aadf96fce23dd7c40fc950ff7
                                                                                                                                          • Instruction ID: 1cc26a63775a87266a935be9bfbbcbc95340e83987bada22148293b6077f427a
                                                                                                                                          • Opcode Fuzzy Hash: bcf46afd355db0f81d32af0fc00ae0f1f52d8a7aadf96fce23dd7c40fc950ff7
                                                                                                                                          • Instruction Fuzzy Hash: 4BD1D2756082019BD714EF29C8A1A2BB7E2EF95754F09891CE8C587392E335ED11CBA3
                                                                                                                                          Function 02DA6A50 Relevance: 5.5, Strings: 4, Instructions: 454COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 4`[b$4`[b$MNOP$MNOP
                                                                                                                                          • API String ID: 0-2339417041
                                                                                                                                          • Opcode ID: 667201e4be3ba214f5b3acf5bb2295033909d91d70aff4feaf284efb28743793
                                                                                                                                          • Instruction ID: 446f5151f35373a617062764ad535dce713ca8178787f6b43fcd25b3a7535434
                                                                                                                                          • Opcode Fuzzy Hash: 667201e4be3ba214f5b3acf5bb2295033909d91d70aff4feaf284efb28743793
                                                                                                                                          • Instruction Fuzzy Hash: 33F188B1618342DFEB24DF54D8A0B6AB7E6FB88304F54892DE5C687390DB34D815CB92
                                                                                                                                          Function 02DA3E59 Relevance: 5.5, Strings: 4, Instructions: 453COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: +E+G$3ABC$S9[;$]=]?
                                                                                                                                          • API String ID: 0-640140210
                                                                                                                                          • Opcode ID: a12d157366e3b28726efa972fe8efbd3e357b8d282de21c18b3ea5fcbe492d71
                                                                                                                                          • Instruction ID: ed19e9a98f399578227108913f27ab1a531040fb6ad00381b2793c89cb6ddfaf
                                                                                                                                          • Opcode Fuzzy Hash: a12d157366e3b28726efa972fe8efbd3e357b8d282de21c18b3ea5fcbe492d71
                                                                                                                                          • Instruction Fuzzy Hash: 4DF1BDB4900216DFDB18CF94C8A1ABFBBB2FF59300F14859CE8626B395D3749911CBA5
                                                                                                                                          Function 02DB2DF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MetricsSystem
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4116985748-3916222277
                                                                                                                                          • Opcode ID: 9d358e566e0ca28da909595b319718ee3ca6180303152789567797d25c8105f4
                                                                                                                                          • Instruction ID: 9164725a77a02e36c6631535e05e605e1b4a997ee0ffb470b8689c0ac0c3f1ef
                                                                                                                                          • Opcode Fuzzy Hash: 9d358e566e0ca28da909595b319718ee3ca6180303152789567797d25c8105f4
                                                                                                                                          • Instruction Fuzzy Hash: A2A169B0609386CBD360DF54D69879FFBE1BB85308F60995DE4D89B341C7B59848CB82
                                                                                                                                          Function 02D8DDB0 Relevance: 5.4, Strings: 4, Instructions: 391COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $$PQ$h$jlRn
                                                                                                                                          • API String ID: 0-745477099
                                                                                                                                          • Opcode ID: ee6826041a9ed1248cb238d3a9ffd6c421b4594d1dbc10615d0d8f6d030ea4b2
                                                                                                                                          • Instruction ID: 56a44697afd59af4fc4b43e7617f67207ca5de18c345157e2d84b3b2007b8d00
                                                                                                                                          • Opcode Fuzzy Hash: ee6826041a9ed1248cb238d3a9ffd6c421b4594d1dbc10615d0d8f6d030ea4b2
                                                                                                                                          • Instruction Fuzzy Hash: A2E134B06083819BE314EF29C490A2FBBE6EF95708F14891DE5C98B391D735D906CF96
                                                                                                                                          Function 02D9D1A6 Relevance: 4.1, Strings: 3, Instructions: 372COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: <0z<$SaWW$cejR
                                                                                                                                          • API String ID: 0-344197986
                                                                                                                                          • Opcode ID: 3f30713b9f4a3bd2b176436d0ea1bfe1170d22e397063bc15a6c9a9cc79c8939
                                                                                                                                          • Instruction ID: 6db8af03e6b4ee769eb47fb4561b793878b609a1d2e8b1cd6c0b4ade7c1f81f4
                                                                                                                                          • Opcode Fuzzy Hash: 3f30713b9f4a3bd2b176436d0ea1bfe1170d22e397063bc15a6c9a9cc79c8939
                                                                                                                                          • Instruction Fuzzy Hash: CEC1CE71D0825ACFCF15DFA8C4906AEBBB2FF1A304F14455DE496AB381D335A946CBA0
                                                                                                                                          Function 02DAB5A2 Relevance: 4.0, Strings: 3, Instructions: 261COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 4`[b$J$MNOP
                                                                                                                                          • API String ID: 0-4003097146
                                                                                                                                          • Opcode ID: 0d37564f9906c33dbc38a38a822ca5d51cea2de8a6f9673baac163ed43786ba2
                                                                                                                                          • Instruction ID: 9a9caa3b970a104a35f277f2d35dfdea2e6f02418c117697091c5b81c943df47
                                                                                                                                          • Opcode Fuzzy Hash: 0d37564f9906c33dbc38a38a822ca5d51cea2de8a6f9673baac163ed43786ba2
                                                                                                                                          • Instruction Fuzzy Hash: 5781EA7150C385CFD319DF28D460A6EBBE2AFAA308F148A5EE5E1073A1C7319D15CB92
                                                                                                                                          Function 02D8F2E0 Relevance: 3.0, Strings: 2, Instructions: 484COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: .'&!$nK
                                                                                                                                          • API String ID: 0-1803324099
                                                                                                                                          • Opcode ID: b04c5cb9b5979336bac83c97282a78b7ea0516ec91c104dbff4d993fcc20a65b
                                                                                                                                          • Instruction ID: 015eeb7490b2be244f2a4949dd9563e7403e208cb9d641c3389c97a6c5a79e3e
                                                                                                                                          • Opcode Fuzzy Hash: b04c5cb9b5979336bac83c97282a78b7ea0516ec91c104dbff4d993fcc20a65b
                                                                                                                                          • Instruction Fuzzy Hash: E1F1A9B560C3808FD318DF19C090A2EBBE2EBD5718FA88A1DE4D98B751D735D806CB56
                                                                                                                                          Function 02D9E920 Relevance: 2.9, Strings: 2, Instructions: 433COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ^P]H$eeI
                                                                                                                                          • API String ID: 0-554186952
                                                                                                                                          • Opcode ID: e3425b81d6848f1086bf5490e7469c5063927659c50bb273ebbc4ebeefd34fce
                                                                                                                                          • Instruction ID: 203ecf593522048f1c66177d07555fe6ee65522c7678579e8a49bfe5f895a788
                                                                                                                                          • Opcode Fuzzy Hash: e3425b81d6848f1086bf5490e7469c5063927659c50bb273ebbc4ebeefd34fce
                                                                                                                                          • Instruction Fuzzy Hash: C4E197756083809BD705EF28C890A6EBBE6EFD9304F08892DF4C987352D736D915CB92
                                                                                                                                          Function 02D83660 Relevance: 2.9, Strings: 2, Instructions: 424COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Inf$NaN
                                                                                                                                          • API String ID: 0-3500518849
                                                                                                                                          • Opcode ID: cebaf76a1c0388fb9f26f752f3c0b9a445151565d333192a9bee998e5d5eb307
                                                                                                                                          • Instruction ID: e84b25a7a9321180d3237a05532565fd62ba3aa17fa31d1b93d0f473d272ac43
                                                                                                                                          • Opcode Fuzzy Hash: cebaf76a1c0388fb9f26f752f3c0b9a445151565d333192a9bee998e5d5eb307
                                                                                                                                          • Instruction Fuzzy Hash: 88E1D6B2A083019BC748DF29C88161AF7E6EBC8B50F25896DF89D97390D735DD45CB82
                                                                                                                                          Function 02DA7300 Relevance: 2.9, Strings: 2, Instructions: 367COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: MNOP$e
                                                                                                                                          • API String ID: 2994545307-1407322595
                                                                                                                                          • Opcode ID: 846d55b562e6a3478170e3aeef9bb89a8d78916c38fd0ed4f3c42d8767b53001
                                                                                                                                          • Instruction ID: b48db04b5f669ab85ed0909ec2e593b15e0a1b36b1f5696863b7f2ed9717f677
                                                                                                                                          • Opcode Fuzzy Hash: 846d55b562e6a3478170e3aeef9bb89a8d78916c38fd0ed4f3c42d8767b53001
                                                                                                                                          • Instruction Fuzzy Hash: 6CB18971A083428BE724DF68C8A0A6FF7E2EB95354F14892DE9C587351E335DC45CBA2
                                                                                                                                          Function 02DC2280 Relevance: 2.8, Strings: 2, Instructions: 303COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: =>?0$=>?0
                                                                                                                                          • API String ID: 2994545307-2509495232
                                                                                                                                          • Opcode ID: dd3f35787f0e6f20daa9866134d2dcb3d2936bc650a8e8be8ca23c856d601f57
                                                                                                                                          • Instruction ID: db9cf4d66407fb12167f5765c025795eac56e8b9e63e524491f577b4ab413509
                                                                                                                                          • Opcode Fuzzy Hash: dd3f35787f0e6f20daa9866134d2dcb3d2936bc650a8e8be8ca23c856d601f57
                                                                                                                                          • Instruction Fuzzy Hash: D191BF356082429BC711DF28C890A2BB7E2EFD5754F68896CE8C587365DB31EC52CB92
                                                                                                                                          Function 02DC1790 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: =>?0$@
                                                                                                                                          • API String ID: 0-471866982
                                                                                                                                          • Opcode ID: db4ab1499a56b272fa63e35407bae24cccb4978b7a68b416794de20d737b8de6
                                                                                                                                          • Instruction ID: 52afd972650ff809fae2fd36c50cd38d9a80ddd717ee5d487fe7e40f1c44d75c
                                                                                                                                          • Opcode Fuzzy Hash: db4ab1499a56b272fa63e35407bae24cccb4978b7a68b416794de20d737b8de6
                                                                                                                                          • Instruction Fuzzy Hash: D7411D719083229BD718DF14C850B2BB7E2EF85318F288A2CE9DA57391D731EC05CB92
                                                                                                                                          Function 02DC2150 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: =>?0$@
                                                                                                                                          • API String ID: 2994545307-471866982
                                                                                                                                          • Opcode ID: 35159f18668651999335d0af06d8b9c27648d69c302a49f0c8700fdfb90815ef
                                                                                                                                          • Instruction ID: eb96cdd32f7fbb9407be008ccc473514a8fd78dce3a03bc8f303a71718f86b1d
                                                                                                                                          • Opcode Fuzzy Hash: 35159f18668651999335d0af06d8b9c27648d69c302a49f0c8700fdfb90815ef
                                                                                                                                          • Instruction Fuzzy Hash: B13178756083029BD300CF58D88466AF7F5EFDA758F648A2CE9D897350D371E904CBA2
                                                                                                                                          Function 02DC0C10 Relevance: 2.0, Strings: 1, Instructions: 763COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ,{zy
                                                                                                                                          • API String ID: 0-1863127247
                                                                                                                                          • Opcode ID: 399eb3db256e0858e0bf4b3665b08f45ed4046393a7791550cdc25f19d241aae
                                                                                                                                          • Instruction ID: dfb1ec90c634bbb3a6d36b19a2ac74511e2d07924ab9883c6d84d414a871b0b7
                                                                                                                                          • Opcode Fuzzy Hash: 399eb3db256e0858e0bf4b3665b08f45ed4046393a7791550cdc25f19d241aae
                                                                                                                                          • Instruction Fuzzy Hash: 0642AA75A08262CFCB04CF68D49066EB7F2FB89319F2A896DD58997381D331ED15CB81
                                                                                                                                          Function 02DBCAF0 Relevance: 1.8, Strings: 1, Instructions: 593COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: f
                                                                                                                                          • API String ID: 0-1993550816
                                                                                                                                          • Opcode ID: 97ca72a771e99b2b2e67c29bcefb16024587afcfd606eecad649821d86a01215
                                                                                                                                          • Instruction ID: c91aa4110b789509cae8780e240b0a785994c8b009afcf0c5741615830f95d59
                                                                                                                                          • Opcode Fuzzy Hash: 97ca72a771e99b2b2e67c29bcefb16024587afcfd606eecad649821d86a01215
                                                                                                                                          • Instruction Fuzzy Hash: B0227A71618341DFC716CE18C8A0B6ABBE2BF89718F188A6DE49687391D735EC05CB52
                                                                                                                                          Function 02DA2690 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CoCreateInstance.OLE32(02DC4BA0,00000000,00000001,02DC4B90), ref: 02DA26B9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateInstance
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                          • Opcode ID: ef017421ae852457f80e380575d23696de7006cb7a114378d3825736f7b2135c
                                                                                                                                          • Instruction ID: 9441729bf9e67dd3cde2ad5ce5c4411f620cc0f933de6e9eb56fca7542e2e307
                                                                                                                                          • Opcode Fuzzy Hash: ef017421ae852457f80e380575d23696de7006cb7a114378d3825736f7b2135c
                                                                                                                                          • Instruction Fuzzy Hash: 7351BDB56002009BDB209B25CCAAF7773B5EF85758F148558FD868B390E375ED05C762
                                                                                                                                          Function 02DC0390 Relevance: 1.7, Strings: 1, Instructions: 408COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: P
                                                                                                                                          • API String ID: 0-3110715001
                                                                                                                                          • Opcode ID: b765afd3d110e2cd25cf160218ece526fbb3b48a369255320b5604029b4036a1
                                                                                                                                          • Instruction ID: 52f6f0b71f45f021edbeb8aa1b0970e5c34a619baaeb4a63964874c521f2b114
                                                                                                                                          • Opcode Fuzzy Hash: b765afd3d110e2cd25cf160218ece526fbb3b48a369255320b5604029b4036a1
                                                                                                                                          • Instruction Fuzzy Hash: C8D1A6325083758FD726CE18949065FB7E1EBC5718F658A2CE9B66B380CB71AC46C7C1
                                                                                                                                          Function 02DABE20 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: "
                                                                                                                                          • API String ID: 0-123907689
                                                                                                                                          • Opcode ID: 59aee0ddc6f4e7f363dd31ede2c232e500e2a18481fa2a25ac1f8ba4175d59bf
                                                                                                                                          • Instruction ID: 76edf24747607e163b1f454de6ae0d58a5baa1cc3717fa3d7a24f271665d08fb
                                                                                                                                          • Opcode Fuzzy Hash: 59aee0ddc6f4e7f363dd31ede2c232e500e2a18481fa2a25ac1f8ba4175d59bf
                                                                                                                                          • Instruction Fuzzy Hash: DCC12772A183049BD724CF24C4A0F6BB7E6AF95328F18892FE89587381E734DD45CB91
                                                                                                                                          Function 02DC28B0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: =>?0
                                                                                                                                          • API String ID: 0-1945578858
                                                                                                                                          • Opcode ID: 71c858e1dc923fd35c1cbfbaf85c2511c6e045c7cc4d2bfd18db927ed20e24e0
                                                                                                                                          • Instruction ID: 9bab325c7fb0ae3468e679c80155d879edd24d3f147113aba9a512908a1e7c9d
                                                                                                                                          • Opcode Fuzzy Hash: 71c858e1dc923fd35c1cbfbaf85c2511c6e045c7cc4d2bfd18db927ed20e24e0
                                                                                                                                          • Instruction Fuzzy Hash: 73A1CF356083478BC724DE28C890A2BB3E2EF85754F28896CE8D5D7355EB31EC51CB92
                                                                                                                                          Function 02DB8630 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 4`[b
                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                          • Opcode ID: 3a48ae5d1500440ce35ebf5e90796fcfdb028c4e4ae2aa4f4966e39b8c0340d1
                                                                                                                                          • Instruction ID: 9c0d9701385d7555e8053459cf5e446d374ad1221efb91a676c4fd634a30d364
                                                                                                                                          • Opcode Fuzzy Hash: 3a48ae5d1500440ce35ebf5e90796fcfdb028c4e4ae2aa4f4966e39b8c0340d1
                                                                                                                                          • Instruction Fuzzy Hash: D9A19E71608202DFD715CF14C8A4B6AB7EAEF89308F548D2DE5CA87381D735E816CB52
                                                                                                                                          Function 02DC25B0 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: =>?0
                                                                                                                                          • API String ID: 0-1945578858
                                                                                                                                          • Opcode ID: 1a4ea6894f9afd24ede7244ff79c56f16ee6e097112eb43a8903430b2d8d6355
                                                                                                                                          • Instruction ID: 0ee1a3658e353b29c63583a422d88f12c44cdbcd9bb9828d039ef088fea7d090
                                                                                                                                          • Opcode Fuzzy Hash: 1a4ea6894f9afd24ede7244ff79c56f16ee6e097112eb43a8903430b2d8d6355
                                                                                                                                          • Instruction Fuzzy Hash: F391D135A083128BC724DF18C8C4A2BB7A2EF98714F24896CE9C657355E771EC11CB92
                                                                                                                                          Function 02DB27C0 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 0-4108050209
                                                                                                                                          • Opcode ID: a6002b891db1e8308f7a2705f7f5030729064f7f465bc38a2858a7a21836704c
                                                                                                                                          • Instruction ID: 3882b882b9466d343a242c62be501d2397731e712e0fda98aed216429dbdf0e8
                                                                                                                                          • Opcode Fuzzy Hash: a6002b891db1e8308f7a2705f7f5030729064f7f465bc38a2858a7a21836704c
                                                                                                                                          • Instruction Fuzzy Hash: A2715A33B5969187C72A487C5C652EA7A934F96330F2D8379ADF6973E1D5288D058380
                                                                                                                                          Function 02DAC2C0 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: "
                                                                                                                                          • API String ID: 0-123907689
                                                                                                                                          • Opcode ID: c434106e7a1f3407efc0bac139c1a4e0f7b4fb88fbb903a10c8fbef3496dcb51
                                                                                                                                          • Instruction ID: 587eeb8f158b5b493f06613af731180b61bb6e282a5ac972fe54100060248ae3
                                                                                                                                          • Opcode Fuzzy Hash: c434106e7a1f3407efc0bac139c1a4e0f7b4fb88fbb903a10c8fbef3496dcb51
                                                                                                                                          • Instruction Fuzzy Hash: 5551E1726283448BD724CF69C4A0B6EB7E1ABC5634F19882FE4D58B350C3B4EC44C786
                                                                                                                                          Function 02DA6390 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 4`[b
                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                          • Opcode ID: 5715b8c625a1dd69aebb97e99eee2c02d672633d5469d34b284d788375638220
                                                                                                                                          • Instruction ID: 694ee780d39e1443faef73338f2be0e72bb0a8e038dfa0a9c113e60622b4d7dd
                                                                                                                                          • Opcode Fuzzy Hash: 5715b8c625a1dd69aebb97e99eee2c02d672633d5469d34b284d788375638220
                                                                                                                                          • Instruction Fuzzy Hash: 41217A7564C341CBE768CF20C4A4A6BB7E6EBC9708F68591CD5DA03358CB70E841CB82
                                                                                                                                          Function 02DC08B0 Relevance: 1.0, Instructions: 990COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3b3bcabb829f5641abdfed914ce7af71ecea200de09f5abdd3b213df3e879977
                                                                                                                                          • Instruction ID: 4ffcfee330630f842cc68350691aeb3ad0474caa8890b26efd4f39837a2224f4
                                                                                                                                          • Opcode Fuzzy Hash: 3b3bcabb829f5641abdfed914ce7af71ecea200de09f5abdd3b213df3e879977
                                                                                                                                          • Instruction Fuzzy Hash: A462AC72A08252CFCB04CF28D49166EB7E2FF89319F2A896DD58997391D331ED15CB81
                                                                                                                                          Function 02DC0A20 Relevance: .9, Instructions: 870COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7129cbec5c337232d483ba664e20c1904f1f0d9c72507541ec1ac7016e697bc1
                                                                                                                                          • Instruction ID: 390272a750c2244f908fc94a3ac4db902f80e06b6cedf4cd58bac1c1453dac4d
                                                                                                                                          • Opcode Fuzzy Hash: 7129cbec5c337232d483ba664e20c1904f1f0d9c72507541ec1ac7016e697bc1
                                                                                                                                          • Instruction Fuzzy Hash: 7352AB75A08252CFCB04CF28D49066EB7E2FF89319F2A896DD58997391D331EC16CB81
                                                                                                                                          Function 02D8BEA0 Relevance: .9, Instructions: 853COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5e4d917c53b10096f02dff525269476166882a60f44ec98de07de0bc148a56b8
                                                                                                                                          • Instruction ID: 34b937a225febd78590674f1c498b189cdfd017d4c25d2a4f112d3c82ebda135
                                                                                                                                          • Opcode Fuzzy Hash: 5e4d917c53b10096f02dff525269476166882a60f44ec98de07de0bc148a56b8
                                                                                                                                          • Instruction Fuzzy Hash: 6D52B231628711CBC729EF28D48027AB3E2FFC4718F15892ED9D697385E735A851CB62
                                                                                                                                          Function 02DC0AAF Relevance: .8, Instructions: 819COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e2620721d707c1bff373406348569655eaa6e77f1dfc3329342f33588283f7cb
                                                                                                                                          • Instruction ID: ba9d918e66b8e21c82b80b60147ee94bdd530f1248c80b05b2bc6166ea3de4c6
                                                                                                                                          • Opcode Fuzzy Hash: e2620721d707c1bff373406348569655eaa6e77f1dfc3329342f33588283f7cb
                                                                                                                                          • Instruction Fuzzy Hash: 0342AC75A08252CFCB04CF68D49066EB7E2FF89319F2A896DD58997391D331EC15CB81
                                                                                                                                          Function 02DC0D20 Relevance: .7, Instructions: 722COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a897deb29d12fd8020c3582db04b8fab052fc1c460e7179ac12eac7e8cd86290
                                                                                                                                          • Instruction ID: a0c86b6a17f610cf09059d072bc6e00fb859d1f1ed45e8fea80aba1221bc946d
                                                                                                                                          • Opcode Fuzzy Hash: a897deb29d12fd8020c3582db04b8fab052fc1c460e7179ac12eac7e8cd86290
                                                                                                                                          • Instruction Fuzzy Hash: EA329A75A08252CFCB04CF28D4A066EB7E2FB89319F29896DD589A7391C331ED15CB91
                                                                                                                                          Function 02D87380 Relevance: .7, Instructions: 696COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a7f7fcec4b015fbae02c351aa2e69a85126eb4825be8d3e7995c1479dddee427
                                                                                                                                          • Instruction ID: 4a162584741eac7c108b283c548ba181873b26633663d74db27a1cc4cbbeeb90
                                                                                                                                          • Opcode Fuzzy Hash: a7f7fcec4b015fbae02c351aa2e69a85126eb4825be8d3e7995c1479dddee427
                                                                                                                                          • Instruction Fuzzy Hash: B352CF395083458FEB14DF28C0806AAFBE1BF88318F298A6DE8D957351D774ED49CB81
                                                                                                                                          Function 02DC0E30 Relevance: .7, Instructions: 678COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 91149b7ba3e42d6af4aa756388c526fb5c82cf437b545331aae7a643ebed8ec3
                                                                                                                                          • Instruction ID: 3b7e0779d512a25d8838849d23a6426250512fb0aba06c67bf5057da8e9f57c0
                                                                                                                                          • Opcode Fuzzy Hash: 91149b7ba3e42d6af4aa756388c526fb5c82cf437b545331aae7a643ebed8ec3
                                                                                                                                          • Instruction Fuzzy Hash: 2D22AC75A08256CFCB08CF28D49066EB7E2FF89315F29896DD48A97381D731ED11CB91
                                                                                                                                          Function 02D8B390 Relevance: .7, Instructions: 670COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b778457fa0af6043a20a3280c81598f977ad8d0efa43ab132f0def2c5ab37307
                                                                                                                                          • Instruction ID: 56f3e108207829fb418bbbf0a5a54e9105b0ba434cbaa0fc741c2c0538aac326
                                                                                                                                          • Opcode Fuzzy Hash: b778457fa0af6043a20a3280c81598f977ad8d0efa43ab132f0def2c5ab37307
                                                                                                                                          • Instruction Fuzzy Hash: CB52D670908B849FE735EB34C4847A7BBE1EB85318F14586FC5E786B82C379A885CB51
                                                                                                                                          Function 02D87DC0 Relevance: .6, Instructions: 592COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 35b4201bf7fe0c653268b068d8074d53fffd2df815bda38ed702c9ac7d332a70
                                                                                                                                          • Instruction ID: 201863472b9dfae70d2d9e51bf93d7ec228e24128ea85b91dbf4ed658b64e95b
                                                                                                                                          • Opcode Fuzzy Hash: 35b4201bf7fe0c653268b068d8074d53fffd2df815bda38ed702c9ac7d332a70
                                                                                                                                          • Instruction Fuzzy Hash: C73211B1514B158FC368DF29C59062ABBF2BF45710BA04A2ED6A78BF90D736F844DB10
                                                                                                                                          Function 02DC727B Relevance: .5, Instructions: 517COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f2fae7a71bb05b04899b85d58e9815f4e1409acd6cc9a4c57953480a4d43c196
                                                                                                                                          • Instruction ID: 5bc1fcb8f84a67ce498b8739d677b8a00addd35bbce6c15167e25d85390914f2
                                                                                                                                          • Opcode Fuzzy Hash: f2fae7a71bb05b04899b85d58e9815f4e1409acd6cc9a4c57953480a4d43c196
                                                                                                                                          • Instruction Fuzzy Hash: E8F1567124618BAFE7021F2588AD5E5FFB5FF4B32432A45D9E5C04E006C739589ADF60
                                                                                                                                          Function 02DA8763 Relevance: .4, Instructions: 411COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0e1e898667e8d15075b3adc0822730801c096142de892942329ac4f461c467fd
                                                                                                                                          • Instruction ID: ab519808f7fa283e323055696aff0dec6cff2a424caf1e9714463a69acada944
                                                                                                                                          • Opcode Fuzzy Hash: 0e1e898667e8d15075b3adc0822730801c096142de892942329ac4f461c467fd
                                                                                                                                          • Instruction Fuzzy Hash: 06D1E131E14256CFDB148F78D8A06ADBBB3BF8A320F298669D861A73D5D7349C41CB50
                                                                                                                                          Function 02D8CBF0 Relevance: .4, Instructions: 409COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6f37897a8c76c19be5e3612f4462b8389b8d50331e3decacd2db82c83d1ba840
                                                                                                                                          • Instruction ID: a9da7ec918ff92759a0f3a5dd92c3ba33157bc60175096b036bd9b8b1f317955
                                                                                                                                          • Opcode Fuzzy Hash: 6f37897a8c76c19be5e3612f4462b8389b8d50331e3decacd2db82c83d1ba840
                                                                                                                                          • Instruction Fuzzy Hash: A8F18F7291C3519BC719DF28C4A062EBBE2AFC5620F19895EF8DA573A1D234DC05CB92
                                                                                                                                          Function 02DBF5FC Relevance: .4, Instructions: 401COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 10303192d8b19ee5ef314a7123e8e7e580b1efa83be9110e63b08274a6fd1a02
                                                                                                                                          • Instruction ID: 20974e5397df5872744a862863604a2741e72594cc6a3d132202352a5bcf726a
                                                                                                                                          • Opcode Fuzzy Hash: 10303192d8b19ee5ef314a7123e8e7e580b1efa83be9110e63b08274a6fd1a02
                                                                                                                                          • Instruction Fuzzy Hash: F4E1DF32A58242CFC715CF38E89126AB7E2AB89318F1A8A7DE8D5C3381D774DD50CB41
                                                                                                                                          Function 02D8A380 Relevance: .4, Instructions: 399COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a88dcd1183fcd25dad8e9ca0f537ba6946182672bb3c970a42b981528887e676
                                                                                                                                          • Instruction ID: 179489da418efd63c26584b7862fb53b9e2f6f6efea9337df1c297399d2cf7b5
                                                                                                                                          • Opcode Fuzzy Hash: a88dcd1183fcd25dad8e9ca0f537ba6946182672bb3c970a42b981528887e676
                                                                                                                                          • Instruction Fuzzy Hash: 2DE17971208341DFC725DF69C880B2BBBE6EF98204F44882EE4D587751E775E949CBA2
                                                                                                                                          Function 02D94921 Relevance: .4, Instructions: 368COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 268cee7ce1860a376ce99066269480f243f56d9a6f646f2b3cbfc1f68f979230
                                                                                                                                          • Instruction ID: ec0969278417c20df9d621073a29b2d7a989b0b0b8f044dcc7e6dc6a4c911cfa
                                                                                                                                          • Opcode Fuzzy Hash: 268cee7ce1860a376ce99066269480f243f56d9a6f646f2b3cbfc1f68f979230
                                                                                                                                          • Instruction Fuzzy Hash: 45D1C3769182528FDB14DF28D84066AB3E6FF84314F19096DF48A97392E734DD11CBA2
                                                                                                                                          Function 02D93E28 Relevance: .4, Instructions: 361COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 32acdf2448c634459ea166067f52b4c9290119e8734ff2fe05de8f6e98920bf5
                                                                                                                                          • Instruction ID: e2eb5d007974099591092b5b2cc471be77c0fc52fb7934586e51cee90297e708
                                                                                                                                          • Opcode Fuzzy Hash: 32acdf2448c634459ea166067f52b4c9290119e8734ff2fe05de8f6e98920bf5
                                                                                                                                          • Instruction Fuzzy Hash: 9FD136B06183808BD724DF28D881BAEB7F6EF9A704F04096DE5C997352E7359C11CB66
                                                                                                                                          Function 02DAA067 Relevance: .4, Instructions: 355COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fa2821afe693fa87018c3cbb4c235c9817b72f8a99484978aa343327f4feaa9b
                                                                                                                                          • Instruction ID: c1e0c0ef553ce8d6fe123af15e9c47a84130787163df6956576ea2f581e41ad1
                                                                                                                                          • Opcode Fuzzy Hash: fa2821afe693fa87018c3cbb4c235c9817b72f8a99484978aa343327f4feaa9b
                                                                                                                                          • Instruction Fuzzy Hash: 83C1EFB55083428FD718DF68C4A1B6AB7F2EFC5304F148A2CE5D987382E7799915CB42
                                                                                                                                          Function 02D89E3D Relevance: .3, Instructions: 344COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7ae6c8cd72f089d4d3a04a22aa26ca550a4b96655587b8a4415a83973557e209
                                                                                                                                          • Instruction ID: 381655f8874f3c8ca443c6351783ed2f18121888e3aa36de9557c3fa6ebab25b
                                                                                                                                          • Opcode Fuzzy Hash: 7ae6c8cd72f089d4d3a04a22aa26ca550a4b96655587b8a4415a83973557e209
                                                                                                                                          • Instruction Fuzzy Hash: F7E15A35604682EFC725CF29D840A56FBB2FF99300B14CAACE59A47B52C331F864CB91
                                                                                                                                          Function 02D89C5D Relevance: .3, Instructions: 315COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d19a571ce6307ac783bbbdb7279a6fb1bff9151439e9cc1cd1d3e3051b2ea456
                                                                                                                                          • Instruction ID: 79b96e874f2c3f66088ba4aaf1bf3920b2b9da492c5d26b6c24acf8cbc198dc8
                                                                                                                                          • Opcode Fuzzy Hash: d19a571ce6307ac783bbbdb7279a6fb1bff9151439e9cc1cd1d3e3051b2ea456
                                                                                                                                          • Instruction Fuzzy Hash: 41D13975609A82EFC725CF29D440A56FBB2BF99300B18CA9CD49A47B52C331F865CB91
                                                                                                                                          Function 02D942FE Relevance: .3, Instructions: 309COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a49b0e83c2d1d2223de0a146229d9087bad0e6aa214e8be4bb368ef5d03f5380
                                                                                                                                          • Instruction ID: 1a9cab95268a8865b3c7d4a6cf9315dc7a7e47ddf7e7233c08d103e99fffd57a
                                                                                                                                          • Opcode Fuzzy Hash: a49b0e83c2d1d2223de0a146229d9087bad0e6aa214e8be4bb368ef5d03f5380
                                                                                                                                          • Instruction Fuzzy Hash: 9EB132705083808FD325EF28D490BAEB7F5EF9A708F04092DE5C987352E77A9815CB66
                                                                                                                                          Function 02D8AF00 Relevance: .3, Instructions: 303COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0456584b5a6826dc4bd6c7afc4826674478406e48d44e4aeaf6668cd7845ff02
                                                                                                                                          • Instruction ID: 846244fe75e46e6c89d51f52c88048e06dd2a1caf8fbddfeb509a28921a99e01
                                                                                                                                          • Opcode Fuzzy Hash: 0456584b5a6826dc4bd6c7afc4826674478406e48d44e4aeaf6668cd7845ff02
                                                                                                                                          • Instruction Fuzzy Hash: B8C157B2A187418FC360DF68DC86BABB7E1BB85318F08492DD1D9C6342E778A555CB06
                                                                                                                                          Function 02D92F92 Relevance: .3, Instructions: 272COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8e20c80993b582e29dca984f954eddfec03fb527a29c8e68c1859f1365598ece
                                                                                                                                          • Instruction ID: e159138769cdba3d4f16ae3c99789d46073f7235083b525e1aba72460ef1ac49
                                                                                                                                          • Opcode Fuzzy Hash: 8e20c80993b582e29dca984f954eddfec03fb527a29c8e68c1859f1365598ece
                                                                                                                                          • Instruction Fuzzy Hash: 6781A1B29183418FDB25DF28D84076AB7E6EF86314F150A6CF49997391E735DC04CB92
                                                                                                                                          Function 02DBFE30 Relevance: .3, Instructions: 251COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: acf6dcc6d63af047d6e915d58ffc24b058b8f54ce0c728dd9443f07e997b2625
                                                                                                                                          • Instruction ID: fcad4276a6e8c0ba69633d5477ee4284c3d29d9b650fefbe563912a4bb9dd39c
                                                                                                                                          • Opcode Fuzzy Hash: acf6dcc6d63af047d6e915d58ffc24b058b8f54ce0c728dd9443f07e997b2625
                                                                                                                                          • Instruction Fuzzy Hash: 1181F5B5A043419FE724DB28DC50BABB7D6EF84358F28492DF996C3351EA34DC048B62
                                                                                                                                          Function 02D89C0F Relevance: .3, Instructions: 251COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4144b70b43c21513db9e7dbe3fd72af7e374e947d5a2b07b37d6be29452f0c42
                                                                                                                                          • Instruction ID: 0b1efc7a7426e126a589b71abf86f2989a460e7b251806b2619335124be996db
                                                                                                                                          • Opcode Fuzzy Hash: 4144b70b43c21513db9e7dbe3fd72af7e374e947d5a2b07b37d6be29452f0c42
                                                                                                                                          • Instruction Fuzzy Hash: E1B15A35609A82EFC325CF69C440956FBB2BFA9310B18CA9CD49947B52C331F865CBE1
                                                                                                                                          Function 02D99850 Relevance: .2, Instructions: 222COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0da882c4391e513d1c2d5a3d5a657d48e18b097080ca664fa16d1956a02be5d5
                                                                                                                                          • Instruction ID: 4f3a4f3042bdf2f6c7373b6774db7cb25f98f72f4c34ec094fdaf197a447aaa3
                                                                                                                                          • Opcode Fuzzy Hash: 0da882c4391e513d1c2d5a3d5a657d48e18b097080ca664fa16d1956a02be5d5
                                                                                                                                          • Instruction Fuzzy Hash: 4761E633B1DA924BDB29893C5C722EA6A839BD723472D876DF6F28B3D4D6158C018351
                                                                                                                                          Function 02DA395E Relevance: .2, Instructions: 215COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: e13543eaefde56e7a56310a2e7230e30f1b23f0ef428c9f3d00402566edd0f48
                                                                                                                                          • Instruction ID: 29efd2b40267cf7f12643c895f6614045ae5d09da4bb42e1573779b37996b73d
                                                                                                                                          • Opcode Fuzzy Hash: e13543eaefde56e7a56310a2e7230e30f1b23f0ef428c9f3d00402566edd0f48
                                                                                                                                          • Instruction Fuzzy Hash: 6161D872E046668BCB15CE58CCA4AAEB7F3FB88315F1546ACD856A7380D770AD41CB90
                                                                                                                                          Function 02D92998 Relevance: .2, Instructions: 208COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 88b9174ff62e9edea389a884ad2a22df7ecaf75724ceb392eb8618898155ac18
                                                                                                                                          • Instruction ID: ece87c67b979b7620c79fdc49c77a17400309cf960bd1a2ce0545b0ac06d511a
                                                                                                                                          • Opcode Fuzzy Hash: 88b9174ff62e9edea389a884ad2a22df7ecaf75724ceb392eb8618898155ac18
                                                                                                                                          • Instruction Fuzzy Hash: 98718A7661D2818BE328DF28D891BAFB7F5EB96705F04082DE5C9C3342D7369811CB16
                                                                                                                                          Function 02DA8533 Relevance: .2, Instructions: 201COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f649e8a43a0f82b8c06a553ad8e59b7cfd8c2dfb9df3cc98c4cbcb05845835c0
                                                                                                                                          • Instruction ID: 890689ac2c52ad59341c079d39ff1b39810e29674efee6ddea159148be30e093
                                                                                                                                          • Opcode Fuzzy Hash: f649e8a43a0f82b8c06a553ad8e59b7cfd8c2dfb9df3cc98c4cbcb05845835c0
                                                                                                                                          • Instruction Fuzzy Hash: 175197B5E112168FCB18CF68C8A0A6DB7F2AB89315F1D826DD856E7381D7349C41CB90
                                                                                                                                          Function 02DB0D40 Relevance: .2, Instructions: 194COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c61baf21109736e57084c8f2279cdb97f668cc0c891d4967156940313cd9a9e9
                                                                                                                                          • Instruction ID: f86c98bfba800419e3d7c30c928d5fe8d6e08ed5f219c0a00f66ab513b3a20f2
                                                                                                                                          • Opcode Fuzzy Hash: c61baf21109736e57084c8f2279cdb97f668cc0c891d4967156940313cd9a9e9
                                                                                                                                          • Instruction Fuzzy Hash: EB51F12A759AD2CAC31A893C58343FA6A534F96231F1D875AE6F34B3D1CA158C15C351
                                                                                                                                          Function 02DB7340 Relevance: .2, Instructions: 189COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 26d59f628840b5e8251de5f5083575ce74deffd400414cdff5ce3adc9b892e72
                                                                                                                                          • Instruction ID: d1594c412d4b90b4f7ee9192caabffc74b6350173cedaa8a72d0c840faac9588
                                                                                                                                          • Opcode Fuzzy Hash: 26d59f628840b5e8251de5f5083575ce74deffd400414cdff5ce3adc9b892e72
                                                                                                                                          • Instruction Fuzzy Hash: 26513CB15087548FE314DF29D49475BBBE1BBC4318F144A2DE4EA87350E379DA088B92
                                                                                                                                          Function 02DB89E0 Relevance: .2, Instructions: 182COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 53dfa822156f829c79dc8e52c38bb7ebe3ffeb2019b90e23a883e3c8e097e048
                                                                                                                                          • Instruction ID: 43b99e2589fe2b0d76a38414428c20ebe9f6faf67e796930438ed73ba33468c7
                                                                                                                                          • Opcode Fuzzy Hash: 53dfa822156f829c79dc8e52c38bb7ebe3ffeb2019b90e23a883e3c8e097e048
                                                                                                                                          • Instruction Fuzzy Hash: 8A5129B160C7848BC725CA28C4A13FBBBD69FC6208F08896CE5D78B386D639DD45D751
                                                                                                                                          Function 02DA35E0 Relevance: .2, Instructions: 182COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9af184ce91b3114c6f5d4dcf555b9295a4f28e8ad2644e1c890202546821ecd5
                                                                                                                                          • Instruction ID: 74c6e86d530606dd8eb15b991d25b808237c34e8366cecd870705be37ccd18cd
                                                                                                                                          • Opcode Fuzzy Hash: 9af184ce91b3114c6f5d4dcf555b9295a4f28e8ad2644e1c890202546821ecd5
                                                                                                                                          • Instruction Fuzzy Hash: 5C515CB1E0025ACBDB54CF68D850AAEB7B6EF49314F2944ADD812E7390DB34ED11CB64
                                                                                                                                          Function 02DA3108 Relevance: .2, Instructions: 180COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f8db9a4bb5ad888f1e39d79194c90dcaa9b91777b87f36af9c1a5fb3d69ffedd
                                                                                                                                          • Instruction ID: 835a80a69d4078fe732e40cacb8bd0cd8dca9c83ac3c1b6a86bb138b695b9feb
                                                                                                                                          • Opcode Fuzzy Hash: f8db9a4bb5ad888f1e39d79194c90dcaa9b91777b87f36af9c1a5fb3d69ffedd
                                                                                                                                          • Instruction Fuzzy Hash: 83619DB0D042AA8BDB64CF58CC94BAEB7B1FB85305F2005D8D459AB390D7749E81CF54
                                                                                                                                          Function 02D85BA0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8790c2ee07a173b30cd857a857db0d1738e7f96495a76906ffbebd4352f33518
                                                                                                                                          • Instruction ID: 0cd59fb49e2abdbd671637e60e3cbdb4cb0ca466399e3f73bfbb907e21c8319c
                                                                                                                                          • Opcode Fuzzy Hash: 8790c2ee07a173b30cd857a857db0d1738e7f96495a76906ffbebd4352f33518
                                                                                                                                          • Instruction Fuzzy Hash: B251A5B59042019FC714EF18E880916B7E5FF85324F5A466CEC959B351E731EC41CF92
                                                                                                                                          Function 02DA3B8F Relevance: .2, Instructions: 153COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 897e6647db87b1b2830348f5a11797d5b1fface30be8aeabf72c4b3f826762a4
                                                                                                                                          • Instruction ID: 39f2d726e6043998f6ec1b313c990364e0375d51c378eb22fe4133d2eb9f33ed
                                                                                                                                          • Opcode Fuzzy Hash: 897e6647db87b1b2830348f5a11797d5b1fface30be8aeabf72c4b3f826762a4
                                                                                                                                          • Instruction Fuzzy Hash: 1351BF72E54226CFCB05CF68E8916AE77B2FF48315F1A8478C942AB380D7349D61DB90
                                                                                                                                          Function 02D9279A Relevance: .1, Instructions: 149COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1647500905-0
                                                                                                                                          • Opcode ID: 21d11593b06b6b5eb79f6e63fd47a5f9387efcfb7463e6a500f1e5ab04f28a14
                                                                                                                                          • Instruction ID: b4adda4f8f85d4498e50b8f1cb6e73ad137cdb58eaae517e4e9747738bb4c9ef
                                                                                                                                          • Opcode Fuzzy Hash: 21d11593b06b6b5eb79f6e63fd47a5f9387efcfb7463e6a500f1e5ab04f28a14
                                                                                                                                          • Instruction Fuzzy Hash: 455135B56153409BE724FB349C91FAE72E6EB95318F04193CE84A93382EA35DD048E77
                                                                                                                                          Function 02D92C84 Relevance: .1, Instructions: 145COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: eeaa634d9780d4e4967dcb6eee967f388bd03920789b3f6a7913e2a11f5edccd
                                                                                                                                          • Instruction ID: 3e6b8bc7b8c3465f030f90297815dc74d4d04fa5447f9cfa84461b15186819bf
                                                                                                                                          • Opcode Fuzzy Hash: eeaa634d9780d4e4967dcb6eee967f388bd03920789b3f6a7913e2a11f5edccd
                                                                                                                                          • Instruction Fuzzy Hash: CF51557890C2808FD324DB28C994B6EF7F6EB96704F05182DE5C987362D736AC10CB56
                                                                                                                                          Function 02DA3445 Relevance: .1, Instructions: 129COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 526c426eb78af458e2a0876eb06cf15b52f1dba985da1f470b53babc6d777165
                                                                                                                                          • Instruction ID: fe2c40e1e088740564d6ce8e1894880ba29480b25f77ddfa78e0b8675a5ef6db
                                                                                                                                          • Opcode Fuzzy Hash: 526c426eb78af458e2a0876eb06cf15b52f1dba985da1f470b53babc6d777165
                                                                                                                                          • Instruction Fuzzy Hash: D441A1B1E04557CBDB58CE58C8A0AAEB3B3FF88305F6946A8D946A7380D731AD51CB50
                                                                                                                                          Function 02D91190 Relevance: .1, Instructions: 128COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a38eb12a2918de4fb37719fe2127d4d0814c86fd95f910b68cb4792d02e54a10
                                                                                                                                          • Instruction ID: 10814b06cc7ab7799ade5df06457c044b4d56fd19947ddad5b0e14360cea3b9f
                                                                                                                                          • Opcode Fuzzy Hash: a38eb12a2918de4fb37719fe2127d4d0814c86fd95f910b68cb4792d02e54a10
                                                                                                                                          • Instruction Fuzzy Hash: 4041C472B182524FD7088A3DC89032EBAD2AB85314F19876DF4EAC73D1D678C945DB54
                                                                                                                                          Function 02D84AB0 Relevance: .1, Instructions: 95COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e4e46b66fb2f3ea2defab5feaf4e273a5737e9d6db71d8fd8aa7e1db4f2c4611
                                                                                                                                          • Instruction ID: f0f5a31d1ef4c7dba2b2b539e3e0de910ea6f0da6e88cefc7371a4fb6f4e6afa
                                                                                                                                          • Opcode Fuzzy Hash: e4e46b66fb2f3ea2defab5feaf4e273a5737e9d6db71d8fd8aa7e1db4f2c4611
                                                                                                                                          • Instruction Fuzzy Hash: 9B31C8357082029BD714AF59D890B27B7E5EF84358F18892DE899CB341E331FC42CB52
                                                                                                                                          Function 02DA3D0F Relevance: .1, Instructions: 88COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 379750375709bae250959cf3201b8fa9e5468756e3a6c6211b21538d7a2adcfa
                                                                                                                                          • Instruction ID: d579b93731fcbc9ad980ff609463eb9a64ff932c92cd4bc260f8f9e1716e0101
                                                                                                                                          • Opcode Fuzzy Hash: 379750375709bae250959cf3201b8fa9e5468756e3a6c6211b21538d7a2adcfa
                                                                                                                                          • Instruction Fuzzy Hash: CF4118B494065AAFDB14CF55C990AAEFBB2FF1A700F105A48D015AB751C334E961CF94
                                                                                                                                          Function 02DAB4BE Relevance: .1, Instructions: 83COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e3f6c89f97f492425217299d2cfa10a39f11b247be6506eb16b2792e76c5deb1
                                                                                                                                          • Instruction ID: 96dd7c3797b268c7a2fe243e65a96dcb8a8d28851ad4a2ad2ccf405d20404ffe
                                                                                                                                          • Opcode Fuzzy Hash: e3f6c89f97f492425217299d2cfa10a39f11b247be6506eb16b2792e76c5deb1
                                                                                                                                          • Instruction Fuzzy Hash: A421C170A083019FC715DF14D460B2AB3E5EF95708F18896EF49587391E770DD09CB92
                                                                                                                                          Function 02D8E965 Relevance: .1, Instructions: 69COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e4a9a8c63e6a0160622ad48acdc894ce8fdf50b72818db13100af2dea4488000
                                                                                                                                          • Instruction ID: 9943762ccb67c114b20859098f528951c1bcbe285142e88213eed28787b59484
                                                                                                                                          • Opcode Fuzzy Hash: e4a9a8c63e6a0160622ad48acdc894ce8fdf50b72818db13100af2dea4488000
                                                                                                                                          • Instruction Fuzzy Hash: 8D11DD72C0022A9BDB50EF14D8807E8B3BDEF45300F1905A4E808E7341E774AE89CFA5
                                                                                                                                          Function 02DB4E60 Relevance: .1, Instructions: 64COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                          • Instruction ID: 0dbb4da7da6ba59318b4103fc9edc20159690c02ceed830ac40e2a09558cf921
                                                                                                                                          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                          • Instruction Fuzzy Hash: 9A11A337A491D48AC316CD3C84605A6BFE30E93134B598399E4B59B3D3D6229D8AC354
                                                                                                                                          Function 02DABB20 Relevance: .1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dd8285ae00c2ed8d539d631acf39494bad83f47e0fe6b085ca0f33fa9170492b
                                                                                                                                          • Instruction ID: b460a47e3616966dda37ba0438298e5dfb937bb50ec8b625bc3aea6f969728a8
                                                                                                                                          • Opcode Fuzzy Hash: dd8285ae00c2ed8d539d631acf39494bad83f47e0fe6b085ca0f33fa9170492b
                                                                                                                                          • Instruction Fuzzy Hash: F7019EF160270187E720AF60E4E0F3BB2A9AFA460CF09042EC80957304EB75EC06CAB1
                                                                                                                                          Function 02DBD7E0 Relevance: .1, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f010015948f8b396a02ef6186726fcc48c6da814095557424024eb0029bf90b7
                                                                                                                                          • Instruction ID: 3cf5e92e0a583d837a315c616f2078902e05d98597b62c5179f49951ee309527
                                                                                                                                          • Opcode Fuzzy Hash: f010015948f8b396a02ef6186726fcc48c6da814095557424024eb0029bf90b7
                                                                                                                                          • Instruction Fuzzy Hash: 992163B1A18340ABD300CF28EA9492BBBF5EB86608F54982DF08ACB341D734CD15CB52
                                                                                                                                          Function 02D8F134 Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 54892e6a1925d8c58756411d0805684fe28e8f6da7d7524faa53d0e25c83ff85
                                                                                                                                          • Instruction ID: 87b5d9d02b91ab727ee0a1aa7430b499c570d7e0f0b62d535237332128c53508
                                                                                                                                          • Opcode Fuzzy Hash: 54892e6a1925d8c58756411d0805684fe28e8f6da7d7524faa53d0e25c83ff85
                                                                                                                                          • Instruction Fuzzy Hash: CC111372D042268FDB55CF54C8807FEB3B6AF99B14F594099C405A7340E778AD45CBA4
                                                                                                                                          Function 02D87040 Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0d31566452d4aee153513c7175947971b8852734d3413a025811500e18175e22
                                                                                                                                          • Instruction ID: bb44e05bba4cf6391f8bd7ab997090607c19e1330875bf24f12ecd2bc99deaa3
                                                                                                                                          • Opcode Fuzzy Hash: 0d31566452d4aee153513c7175947971b8852734d3413a025811500e18175e22
                                                                                                                                          • Instruction Fuzzy Hash: 46F0902ABA831707A310DCBADC80A6BF3A6E7C5654B394438E941D3301D565EC128294
                                                                                                                                          Function 02D8F1FC Relevance: .0, Instructions: 40COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 553b81a6f5577b4c1bb2ac9bb228674d13deb8345b7bda187acbcbd06e1a08ce
                                                                                                                                          • Instruction ID: 9b892c69b915b30944b35fd92dd71a9f3c2dffc46dffa2d35c3ee462823126c0
                                                                                                                                          • Opcode Fuzzy Hash: 553b81a6f5577b4c1bb2ac9bb228674d13deb8345b7bda187acbcbd06e1a08ce
                                                                                                                                          • Instruction Fuzzy Hash: 54F04F680A42128AC624EF08C47133373B0EF46658760984AD6D2CBB50F378DC41D79B
                                                                                                                                          Function 02D996B0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c8ba9e05988ac3a33073382158fc898507509c4f1e046660530b93e5cab66104
                                                                                                                                          • Instruction ID: 3584c9ed9e24508f0e541734786f888ae514f633e0d8f68a7b400fa94b566e6d
                                                                                                                                          • Opcode Fuzzy Hash: c8ba9e05988ac3a33073382158fc898507509c4f1e046660530b93e5cab66104
                                                                                                                                          • Instruction Fuzzy Hash: BAF0ECB17041E067DF228D549CE0F77BBDCCB87254F191419F84597301D1619C44CBE6
                                                                                                                                          Function 02DBA180 Relevance: .0, Instructions: 21COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                          • Instruction ID: 2205c55167872a20da9adc9a3335129e5b50a25b2aac4865fecdada980fa6ed1
                                                                                                                                          • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                          • Instruction Fuzzy Hash: B4D0A73160832186ABB58E19E8109B7F7F4EEC7A51F49955EF583E3248D330DC41C2A9
                                                                                                                                          Function 02DB13B5 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 148memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocString
                                                                                                                                          • String ID: 0$B$C$I$M$O$p$t$z${$}
                                                                                                                                          • API String ID: 2525500382-4079466104
                                                                                                                                          • Opcode ID: 3461b96948ce0d4e28269d3e076732d74ef3924be3081246e132d507cf52ca21
                                                                                                                                          • Instruction ID: 0c03253d5a5ad82b471f471ef453ee46b928b894208b921e64d40f625ed03298
                                                                                                                                          • Opcode Fuzzy Hash: 3461b96948ce0d4e28269d3e076732d74ef3924be3081246e132d507cf52ca21
                                                                                                                                          • Instruction Fuzzy Hash: 95A1A16040CBC2CAC332CA3C845879EBED16BA6224F188F9DE1F95B2E2D7754546D763
                                                                                                                                          Function 02DB194D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 75COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitVariant
                                                                                                                                          • String ID: ($,$Q$S$T$T$T$c$n$w
                                                                                                                                          • API String ID: 1927566239-2354970113
                                                                                                                                          • Opcode ID: 0237a473f9fa19944eb45aef88e681ac78409f0ca7aa9d316cb2179490b94c91
                                                                                                                                          • Instruction ID: 1f1e8248a4160ab19e75b2d6fa8baaeb92057eba2367a9131681f95a967655a3
                                                                                                                                          • Opcode Fuzzy Hash: 0237a473f9fa19944eb45aef88e681ac78409f0ca7aa9d316cb2179490b94c91
                                                                                                                                          • Instruction Fuzzy Hash: F141E23000C7C2CAD336CB2884587CBBFE06B96314F488A5DD5E88B392C7755219CBA7
                                                                                                                                          Function 02DB221F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                          • String ID: "$$$%$+$3
                                                                                                                                          • API String ID: 2610073882-3433838884
                                                                                                                                          • Opcode ID: d279923a7b09325437838f7e6f77594770f0bc988f44300a0727ab0ccf452b15
                                                                                                                                          • Instruction ID: 8f108376723f05494fb9fabc0f7c108ab3a07cd716c53bab9ef7a4df75bd6a51
                                                                                                                                          • Opcode Fuzzy Hash: d279923a7b09325437838f7e6f77594770f0bc988f44300a0727ab0ccf452b15
                                                                                                                                          • Instruction Fuzzy Hash: CF41D47100C7C28AD322DB78944878EFFE1AB96324F444A5DE4E9873E2DB749549CB53
                                                                                                                                          Function 02DB25EE Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 75COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                          • String ID: "$$$%$+$3
                                                                                                                                          • API String ID: 2610073882-3433838884
                                                                                                                                          • Opcode ID: c9c40a5fa3936a50a759371d9f276b14615348b57830154840bb5704be9d2fa3
                                                                                                                                          • Instruction ID: 7bd6f3e1823280fef00d7060d3b227d76b30f66be2e465228f3eb976e0ea2b7e
                                                                                                                                          • Opcode Fuzzy Hash: c9c40a5fa3936a50a759371d9f276b14615348b57830154840bb5704be9d2fa3
                                                                                                                                          • Instruction Fuzzy Hash: E341B27100C7C2CAD322DB78945868EFFE16BA6324F444A4DE4E58B3E2D7749509CB63
                                                                                                                                          Function 02DB0BBD Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 73COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitVariant
                                                                                                                                          • String ID: A$B$C$E$r$t
                                                                                                                                          • API String ID: 1927566239-281525357
                                                                                                                                          • Opcode ID: db7b5b606f34d33adb6dcdecfdedb91ffcfa166097c67987141dea6ba8b769c1
                                                                                                                                          • Instruction ID: c8c6c2b9a69d37b55e63af7c01118c12c662a475f31eaee2bcf15ff2f807a403
                                                                                                                                          • Opcode Fuzzy Hash: db7b5b606f34d33adb6dcdecfdedb91ffcfa166097c67987141dea6ba8b769c1
                                                                                                                                          • Instruction Fuzzy Hash: F431FA70508B81CED721DF28C49475ABFA0AF56314F188A8CD8EA4F397D775E845CBA2
                                                                                                                                          Function 02DAFD40 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 66COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitVariant
                                                                                                                                          • String ID: A$B$C$E$r$t
                                                                                                                                          • API String ID: 1927566239-281525357
                                                                                                                                          • Opcode ID: 463d9f51efe6a1a3722279d1f4b838b6d858695f0780bd23d3f67c5f71392b1f
                                                                                                                                          • Instruction ID: f625369d9dd01c2fe9dee1bafa2e77f09c0f450b5bc20909075d2288cdc49ae0
                                                                                                                                          • Opcode Fuzzy Hash: 463d9f51efe6a1a3722279d1f4b838b6d858695f0780bd23d3f67c5f71392b1f
                                                                                                                                          • Instruction Fuzzy Hash: B631C8705087818ED721DF2CC49471ABFE1AB56214F088A8DE8EA8F796C775E805CB62
                                                                                                                                          Function 02DA43A8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 195COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DrivesLogical
                                                                                                                                          • String ID: CE$G&I$wy${}
                                                                                                                                          • API String ID: 999431828-4005062095
                                                                                                                                          • Opcode ID: d18fb53936210a4883e16ac9c9ec193815027cf579447907c41c615b38c47f86
                                                                                                                                          • Instruction ID: 6e113455c966472c2a890d32b0232485ed126c9453e6363065e467943092a04f
                                                                                                                                          • Opcode Fuzzy Hash: d18fb53936210a4883e16ac9c9ec193815027cf579447907c41c615b38c47f86
                                                                                                                                          • Instruction Fuzzy Hash: 4E8173B4A0121ADFCB10CF58D890AAABBB1FF05304B195A48E455AF701D374E9A1CFD4
                                                                                                                                          Function 02DA9175 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163fileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CopyFileW.KERNEL32(02DA9642,?,00000000), ref: 02DA9253
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CopyFile
                                                                                                                                          • String ID: 4`[b$MNOP
                                                                                                                                          • API String ID: 1304948518-442539271
                                                                                                                                          • Opcode ID: 655e6d1d886841e9ca5fd01a2444f16c3ba0b0b24e81e7d1b520b90446f63239
                                                                                                                                          • Instruction ID: bfe9e19dfecf39af18d054a09555ec93872ee9838fb273ae579189ad74ab4e10
                                                                                                                                          • Opcode Fuzzy Hash: 655e6d1d886841e9ca5fd01a2444f16c3ba0b0b24e81e7d1b520b90446f63239
                                                                                                                                          • Instruction Fuzzy Hash: 9B517BB5D0021ADBEB14CF54D860ABEB772FF49304F244A58E84667780C770AD21CFA1
                                                                                                                                          Function 02DA9196 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150fileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CopyFileW.KERNEL32(02DA9642,?,00000000), ref: 02DA9253
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2134957379.0000000002D80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02D80000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_2d80000_BitLockerToGo.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CopyFile
                                                                                                                                          • String ID: 4`[b$MNOP
                                                                                                                                          • API String ID: 1304948518-442539271
                                                                                                                                          • Opcode ID: 1e8edddf0b9c5d9042dbd1805c444a6ded3d3a0847250bb212f3cf0c4a19918b
                                                                                                                                          • Instruction ID: ad63e6d87568c71417614b5e6215f67188649b5c4572e0ac0ded960e7dd204d6
                                                                                                                                          • Opcode Fuzzy Hash: 1e8edddf0b9c5d9042dbd1805c444a6ded3d3a0847250bb212f3cf0c4a19918b
                                                                                                                                          • Instruction Fuzzy Hash: FB5188B9D0022ADBEB14CF54D860AAEB772FF49300F244A58E84667780C774AD21CFA1